Headline
GHSA-ppxx-m926-g569: Apache Kylin vulnerable to remote code execution
Kylin’s cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-24697
Apache Kylin vulnerable to remote code execution
Critical severity GitHub Reviewed Published Jul 6, 2023 to the GitHub Advisory Database • Updated Jul 6, 2023
Package
maven org.apache.kylin:kylin-core-common (Maven)
Affected versions
< 4.0.2
maven org.apache.kylin:kylin-server-base (Maven)
maven org.apache.kylin:kylin-spark-project (Maven)
Published to the GitHub Advisory Database
Jul 6, 2023
Related news
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=� to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.