High severityNVD Advisory· Published Dec 30, 2022· Updated Apr 11, 2025
Apache Kylin: Command injection by Useless configuration
CVE-2022-43396
Description
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylinMaven | >= 2.0.0, < 4.0.3 | 4.0.3 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: Apache Kylin 4
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-f5q9-j9r2-34gqghsaADVISORY
- lists.apache.org/thread/ob2ks04zl5ms0r44cd74y1xdl1rzfd1rghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-43396ghsaADVISORY
- github.com/apache/kylin/pull/2011ghsaPACKAGE
News mentions
0No linked articles in our index yet.