Moderate severityNVD Advisory· Published Jan 6, 2022· Updated Aug 4, 2024

Command injection

CVE-2021-45456

Description

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Kylin 4.0.0 is vulnerable to command injection in DiagnosisService due to a mismatch between project name validation and its use in shell commands.

Vulnerability

Apache Kylin 4.0.0 contains a command injection vulnerability in DiagnosisService. The application checks the legitimacy of the project name before executing certain commands, but there is a mismatch between the checked value and the value used as the shell command argument. This allows a crafted project name with malicious shell metacharacters to bypass validation and be passed directly to a shell command. The issue affects all deployments of Apache Kylin 4.0.0 [1].

Exploitation

An attacker must have the ability to supply a project name to Apache Kylin, typically via the web interface or API. By providing a project name containing shell command separators (e.g., ;, |, ` `) and commands, the attacker can cause injection. The attacker does not need special privileges beyond normal project creation or modification access. The exact steps involve submitting a project name that, when used in a shell command within DiagnosisService`, executes attacker-controlled commands [1][3].

Impact

Successful exploitation allows arbitrary command execution with the privileges of the Kylin server process. This can lead to full compromise of the Kylin server, including data exfiltration, modification, or denial of service. The attacker gains the ability to execute any OS-level command, effectively taking control of the affected system [1][3].

Mitigation

The vulnerability is fixed in Apache Kylin version 4.0.1, released on 2022-01-06. Users should upgrade to 4.0.1 or apply the patch available at https://github.com/apache/kylin/pull/1781 [3][4]. No workaround is provided for versions before 4.0.1; upgrading is the recommended action.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.kylin:kylinMaven	< 4.0.1	4.0.1

Affected products

ghsa-coords
pkg:maven/org.apache.kylin/kylin
Range: < 4.0.1
Apache Software Foundation/Apache Kylinv5
Range: Apache Kylin 4 4.0.0

Patches

f4daf14dde99

test fix

https://github.com/apache/kylinyaqian.zhangDec 7, 2021via ghsa

commit

5 files changed · +23 −6

core-common/src/main/java/org/apache/kylin/common/KylinConfigBase.java+4 −0 modified

@@ -3403,4 +3403,8 @@ public String getKerberosJaasConfPath() {
     public String getKerberosPrincipal() {
         return getOptional("kylin.kerberos.principal");
     }
+
+    public String getEncryptCipherIvSpec() {
+        return getOptional("kylin.security.encrypt.cipher.ivSpec", "AAAAAAAAAAAAAAAA");
+    }
 }

core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java+2 −1 modified

@@ -25,6 +25,7 @@
 import java.security.NoSuchAlgorithmException;
 
 import org.apache.commons.codec.binary.Base64;
+import org.apache.kylin.common.KylinConfig;
 
 import javax.crypto.Cipher;
 import javax.crypto.NoSuchPaddingException;
@@ -42,7 +43,7 @@ private static final Cipher getCipher(int cipherMode) throws InvalidAlgorithmPar
             InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, UnsupportedEncodingException {
         Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
         final SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
-        IvParameterSpec ivSpec = new IvParameterSpec("AAAAAAAAAAAAAAAA".getBytes("UTF-8"));
+        IvParameterSpec ivSpec = new IvParameterSpec(KylinConfig.getInstanceFromEnv().getEncryptCipherIvSpec().getBytes("UTF-8"));
         cipher.init(cipherMode, secretKey, ivSpec);
         return cipher;
     }

core-common/src/test/java/org/apache/kylin/common/util/EncryptUtilTest.java+12 −1 modified

@@ -18,10 +18,21 @@
 
 package org.apache.kylin.common.util;
 
+import org.junit.After;
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.Test;
 
-public class EncryptUtilTest {
+public class EncryptUtilTest extends LocalFileMetadataTestCase {
+    @Before
+    public void setUp() throws Exception {
+        this.createTestMetadata();
+    }
+
+    @After
+    public void after() throws Exception {
+        this.cleanupTestMetadata();
+    }
 
     @Test
     public void testAESEncrypt(){

server-base/src/main/java/org/apache/kylin/rest/service/DiagnosisService.java+4 −3 modified

@@ -86,15 +86,16 @@ public BadQueryHistory getProjectBadQueryHistory(String project) throws IOExcept
 
     public String dumpProjectDiagnosisInfo(String project, File exportPath) throws IOException {
         Message msg = MsgPicker.getMsg();
+        String projectName = ValidateUtil.convertStringToBeAlphanumericUnderscore(project);
         ProjectInstance projectInstance =
                 ProjectManager.getInstance(KylinConfig.getInstanceFromEnv())
-                        .getProject(ValidateUtil.convertStringToBeAlphanumericUnderscore(project));
+                        .getProject(projectName);
         if (null == projectInstance) {
             throw new BadRequestException(
-                    String.format(Locale.ROOT, msg.getDIAG_PROJECT_NOT_FOUND(), project));
+                    String.format(Locale.ROOT, msg.getDIAG_PROJECT_NOT_FOUND(), projectName));
         }
         aclEvaluate.checkProjectOperationPermission(projectInstance);
-        String[] args = { project, exportPath.getAbsolutePath() };
+        String[] args = { projectName, exportPath.getAbsolutePath() };
         runDiagnosisCLI(args);
         return getDiagnosisPackageName(exportPath);
     }

server/src/main/webapp/WEB-INF/web.xml+1 −1 modified

@@ -75,7 +75,7 @@
    </init-param>     
   <init-param>
       <param-name>cors.supportsCredentials </param-name>
-      <param-value>true</param-value>
+      <param-value>false</param-value>
    </init-param>    
 </filter>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hw3m-8h25-8frwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-45456ghsaADVISORY
www.openwall.com/lists/oss-security/2022/01/06/1ghsamailing-listx_refsource_MLISTWEB
github.com/apache/kylin/commit/f4daf14dde99b934c92ce2c832509f24342bc845ghsaWEB
github.com/apache/kylin/pull/1781ghsaWEB
lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpfghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.030
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000