Apache Kylin prior to 4.0.2 allows command injection when the configuration overwrites function overwrites system parameters
Description
Command injection in Apache Kylin's cube designer allows RCE by injecting OS commands via the --conf= parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Apache Kylin's cube designer allows RCE by injecting OS commands via the --conf= parameter.
Vulnerability
Apache Kylin's cube designer function contains a command injection vulnerability in the configuration overwrites menu. When overwriting system parameters, the application fails to properly sanitize user input, allowing an attacker to close the single quotation marks around the parameter value of --conf= and inject arbitrary operating system commands into the command line. This affects Kylin 2 (up to 2.6.5), Kylin 3 (up to 3.1.2), and Kylin 4 (up to 4.0.1). [1]
Exploitation
To exploit, an attacker must have access to the cube designer function. By crafting a malicious input that closes the existing single quote and appends a new command, the injection is passed to the underlying system shell. No authentication bypass is required for users who can already access the configuration overwrites menu. The attack vector is local or remote depending on deployment, but the cube designer is typically accessible via the web interface. [1]
Impact
Successful exploitation results in remote code execution (RCE) under the privileges of the Kylin process. An attacker can execute arbitrary system commands, potentially leading to full compromise of the Kylin server, data exfiltration, or lateral movement within the network.
Mitigation
The vulnerability is fixed in later versions. Users should upgrade to Kylin 4.0.2 or later (the fix is incorporated in pull request #1811 [4]). For Kylin 2 and 3 users, upgrading to a supported release or applying the relevant patch is recommended. CVE-2022-24697 is distinct from a later bypass (CVE-2022-43396) which required additional hardening. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylin-core-commonMaven | < 4.0.2 | 4.0.2 |
org.apache.kylin:kylin-spark-projectMaven | < 4.0.2 | 4.0.2 |
org.apache.kylin:kylin-server-baseMaven | < 4.0.2 | 4.0.2 |
Affected products
4- ghsa-coords3 versionspkg:maven/org.apache.kylin/kylin-core-commonpkg:maven/org.apache.kylin/kylin-server-basepkg:maven/org.apache.kylin/kylin-spark-project
< 4.0.2+ 2 more
- (no CPE)range: < 4.0.2
- (no CPE)range: < 4.0.2
- (no CPE)range: < 4.0.2
- Apache Software Foundation/Apache Kylinv5Range: Apache Kylin 2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-ppxx-m926-g569ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24697ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/12/30/1ghsamailing-listWEB
- github.com/apache/kylin/pull/1811ghsaWEB
- lists.apache.org/thread/07mnn9c7o314wrhrwjr10w9j5s82voj4ghsaWEB
News mentions
0No linked articles in our index yet.