Apache Kylin: Command injection by Useless configuration
Description
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Kylin's blacklist filter for user commands can be bypassed via the kylin.engine.spark-cmd parameter, allowing remote code execution.
Vulnerability
Overview
CVE-2022-43396 is a blacklist bypass vulnerability in Apache Kylin. The fix for CVE-2022-24697 implemented a blacklist to filter user input commands, but this approach is incomplete and can be circumvented [1]. The root cause is that the blacklist does not adequately block all malicious inputs, leaving the system exposed.
Exploitation
An attacker can control the kylin.engine.spark-cmd configuration parameter to inject arbitrary commands. This parameter is processed by the system without proper validation, bypassing the blacklist filter [1]. The attack likely requires some level of authentication or access to modify configuration parameters, but once achieved, arbitrary command execution follows.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the Kylin server with the privileges of the Kylin process. This can lead to full system compromise, including data exfiltration, installation of backdoors, or lateral movement within the network.
Mitigation
The issue is addressed in later versions of Apache Kylin. Users should upgrade to a patched version or apply the relevant fix from the project's repository [2]. No workarounds have been publicly identified, and the vulnerability is considered high severity.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylinMaven | >= 2.0.0, < 4.0.3 | 4.0.3 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: Apache Kylin 4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f5q9-j9r2-34gqghsaADVISORY
- lists.apache.org/thread/ob2ks04zl5ms0r44cd74y1xdl1rzfd1rghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-43396ghsaADVISORY
- github.com/apache/kylin/pull/2011ghsaPACKAGE
News mentions
0No linked articles in our index yet.