Apache Kylin: Command injection by Diagnosis Controller
Description
Apache Kylin's Diagnosis Controller lacks input validation, enabling command injection via crafted HTTP requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Kylin's Diagnosis Controller lacks input validation, enabling command injection via crafted HTTP requests.
Vulnerability
Analysis
CVE-2022-44621 describes a command injection vulnerability in the Diagnosis Controller of Apache Kylin. The root cause is the lack of parameter validation when processing HTTP requests. Specifically, the controller does not sanitize user-supplied input before using it in system commands, allowing an attacker to inject arbitrary commands.
Exploitation
Attack Surface
An attacker can exploit this vulnerability by sending a crafted HTTP request to the Diagnosis Controller endpoint. No prior authentication is mentioned in the description, suggesting the endpoint may be accessible without credentials [1]. The attack vector is over the network, requiring no physical access. The vulnerability was addressed in a commit that introduced the use of ParameterFilter.checkParameter() to sanitize inputs [3][4].
Potential
Impact
Successful command injection could allow an attacker to execute arbitrary commands on the underlying server with the privileges of the Kylin process. Depending on the configuration, this could lead to unauthorized data access, system compromise, or further lateral movement within the network. The official description and references confirm this as a command injection issue [2].
Mitigation
Status
Apache Kylin has patched this vulnerability by removing vulnerable code and adding input sanitization, as seen in commit fd2977e21c51f1afed668f2d9713cf562f2dc42d [3] and pull request #2011 [4]. Users are advised to update to a version containing this fix. If upgrading is not immediately possible, network-level restrictions should be applied to the Diagnosis Controller endpoints.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylin-server-baseMaven | >= 2.0.0, < 4.0.3 | 4.0.3 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: Apache Kylin 4
Patches
13 files changed · +3 −11
core-common/src/main/java/org/apache/kylin/common/KylinConfigBase.java+0 −8 modified@@ -2107,14 +2107,6 @@ public String getKylinParquetJobJarPath() { return getFileName(kylinHome + File.separator + "lib", PARQUET_JOB_JAR_NAME_PATTERN); } - /** - * Use https://github.com/spektom/spark-flamegraph for Spark profile - */ - @ConfigTag(ConfigTag.Tag.DEBUG_HACK) - public String getSparkSubmitCmd() { - return getOptional("kylin.engine.spark-cmd", null); - } - public void overrideKylinParquetJobJarPath(String path) { logger.info("override {} to {}", KYLIN_ENGINE_PARQUET_JOB_JAR, path); System.setProperty(KYLIN_ENGINE_PARQUET_JOB_JAR, path);
kylin-spark-project/kylin-spark-engine/src/main/java/org/apache/kylin/engine/spark/job/NSparkExecutable.java+1 −2 modified@@ -397,8 +397,7 @@ protected String generateSparkCmd(KylinConfig config, String hadoopConf, String String appArgs) { StringBuilder sb = new StringBuilder(); - String sparkSubmitCmd = config.getSparkSubmitCmd() != null ? - config.getSparkSubmitCmd() : KylinConfig.getSparkHome() + "/bin/spark-submit"; + String sparkSubmitCmd = KylinConfig.getSparkHome() + "/bin/spark-submit"; sb.append("export HADOOP_CONF_DIR=%s && %s --class org.apache.kylin.engine.spark.application.SparkEntry "); Map<String, String> sparkConfs = getSparkConfigOverride(config);
server-base/src/main/java/org/apache/kylin/rest/controller/DiagnosisController.java+2 −1 modified@@ -26,6 +26,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.kylin.common.persistence.AutoDeleteDirectory; +import org.apache.kylin.common.util.ParameterFilter; import org.apache.kylin.metadata.badquery.BadQueryEntry; import org.apache.kylin.metadata.badquery.BadQueryHistory; import org.apache.kylin.rest.exception.InternalErrorException; @@ -95,7 +96,7 @@ public void dumpProjectDiagnosisInfo(@PathVariable String project, final HttpSer public void dumpJobDiagnosisInfo(@PathVariable String jobId, final HttpServletRequest request, final HttpServletResponse response) { try (AutoDeleteDirectory diagDir = new AutoDeleteDirectory("diag_job", "")) { - String filePath = dgService.dumpJobDiagnosisInfo(jobId, diagDir.getFile()); + String filePath = dgService.dumpJobDiagnosisInfo(ParameterFilter.checkParameter(jobId), diagDir.getFile()); setDownloadResponse(filePath, response); } catch (IOException e) { throw new InternalErrorException("Failed to dump job diagnosis info. " + e.getMessage(), e);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-w9rv-xmf7-x3ghghsaADVISORY
- lists.apache.org/thread/7ctchj24dofgsj9g1rg1245cms9myb34ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-44621ghsaADVISORY
- github.com/apache/kylin/commit/fd2977e21c51f1afed668f2d9713cf562f2dc42dghsaWEB
- github.com/apache/kylin/pull/2011ghsaWEB
- github.com/apache/kylin/pull/2011/commits/418a63c61379d429312972fc94b87994e06b664fghsaWEB
News mentions
0No linked articles in our index yet.