Maven package

org.apache.kylin/kylin-core-common

pkg:maven/org.apache.kylin/kylin-core-common

Vulnerabilities (6)

CVE	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2025-61735	—		>= 4.0.0, < 5.0.3	5.0.3	Oct 2, 2025	Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the
CVE-2025-61733	—		>= 4.0.0, < 5.0.3	5.0.3	Oct 2, 2025	Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
CVE-2025-61734	—		>= 4.0.0, < 5.0.3	5.0.3	Oct 2, 2025	Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.
CVE-2023-29055	—		>= 2.0.0, < 4.0.4	4.0.4	Jan 29, 2024	In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers
CVE-2022-24697	—		< 4.0.2	4.0.2	Oct 13, 2022	Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system comma
CVE-2020-1956	—	KEV	< 2.6.6	2.6.6	May 22, 2020	Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

CVE-2025-61735Oct 2, 2025
affected >= 4.0.0, < 5.0.3fixed 5.0.3
Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the
CVE-2025-61733Oct 2, 2025
affected >= 4.0.0, < 5.0.3fixed 5.0.3
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
CVE-2025-61734Oct 2, 2025
affected >= 4.0.0, < 5.0.3fixed 5.0.3
Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.
CVE-2023-29055Jan 29, 2024
affected >= 2.0.0, < 4.0.4fixed 4.0.4
In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers
CVE-2022-24697Oct 13, 2022
affected < 4.0.2fixed 4.0.2
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system comma
CVE-2020-1956KEVMay 22, 2020
affected < 2.6.6fixed 2.6.6
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.