Moderate severityNVD Advisory· Published Jan 6, 2022· Updated Aug 4, 2024
Command injection
CVE-2021-45456
Description
Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylinMaven | < 4.0.1 | 4.0.1 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: Apache Kylin 4 4.0.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-hw3m-8h25-8frwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45456ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/06/1ghsamailing-listx_refsource_MLISTWEB
- github.com/apache/kylin/commit/f4daf14dde99b934c92ce2c832509f24342bc845ghsaWEB
- github.com/apache/kylin/pull/1781ghsaWEB
- lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpfghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.