Maven package
org.apache.kylin/kylin
pkg:maven/org.apache.kylin/kylin
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-61735 | — | >= 4.0.0, < 5.0.3 | 5.0.3 | Oct 2, 2025 | Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the | ||
| CVE-2025-61733 | — | >= 4.0.0, < 5.0.3 | 5.0.3 | Oct 2, 2025 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue. | ||
| CVE-2025-61734 | — | >= 4.0.0, < 5.0.3 | 5.0.3 | Oct 2, 2025 | Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0. | ||
| CVE-2025-30067 | — | >= 4.0.0, < 5.0.2 | 5.0.2 | Mar 27, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as t | ||
| CVE-2024-23590 | — | >= 2.0.0, < 5.0.0 | 5.0.0 | Nov 4, 2024 | Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. | ||
| CVE-2022-43396 | — | >= 2.0.0, < 4.0.3 | 4.0.3 | Dec 30, 2022 | In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf. | ||
| CVE-2021-45458 | — | < 3.1.3 | 3.1.3 | Jan 6, 2022 | Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encr | ||
| CVE-2021-45457 | — | < 3.1.3 | 3.1.3 | Jan 6, 2022 | In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions. | ||
| CVE-2021-45456 | — | < 4.0.1 | 4.0.1 | Jan 6, 2022 | Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal proj | ||
| CVE-2021-36774 | — | < 3.1.3 | 3.1.3 | Jan 6, 2022 | Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server proces | ||
| CVE-2021-31522 | — | < 3.1.3 | 3.1.3 | Jan 6, 2022 | Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions. | ||
| CVE-2021-27738 | — | < 3.1.3 | 3.1.3 | Jan 6, 2022 | All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, | ||
| CVE-2020-13937 | — | < 3.1.1 | 3.1.1 | Oct 19, 2020 | Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration inform |
- CVE-2025-61735Oct 2, 2025affected >= 4.0.0, < 5.0.3fixed 5.0.3
Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the
- CVE-2025-61733Oct 2, 2025affected >= 4.0.0, < 5.0.3fixed 5.0.3
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
- CVE-2025-61734Oct 2, 2025affected >= 4.0.0, < 5.0.3fixed 5.0.3
Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.
- CVE-2025-30067Mar 27, 2025affected >= 4.0.0, < 5.0.2fixed 5.0.2
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as t
- CVE-2024-23590Nov 4, 2024affected >= 2.0.0, < 5.0.0fixed 5.0.0
Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.
- CVE-2022-43396Dec 30, 2022affected >= 2.0.0, < 4.0.3fixed 4.0.3
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.
- CVE-2021-45458Jan 6, 2022affected < 3.1.3fixed 3.1.3
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encr
- CVE-2021-45457Jan 6, 2022affected < 3.1.3fixed 3.1.3
In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
- CVE-2021-45456Jan 6, 2022affected < 4.0.1fixed 4.0.1
Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal proj
- CVE-2021-36774Jan 6, 2022affected < 3.1.3fixed 3.1.3
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server proces
- CVE-2021-31522Jan 6, 2022affected < 3.1.3fixed 3.1.3
Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
- CVE-2021-27738Jan 6, 2022affected < 3.1.3fixed 3.1.3
All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes,
- CVE-2020-13937Oct 19, 2020affected < 3.1.1fixed 3.1.1
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration inform