Maven package
org.apache.kylin/kylin-server-base
pkg:maven/org.apache.kylin/kylin-server-base
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-44621 | — | >= 2.0.0, < 4.0.3 | 4.0.3 | Dec 30, 2022 | Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. | ||
| CVE-2022-24697 | — | < 4.0.2 | 4.0.2 | Oct 13, 2022 | Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system comma | ||
| CVE-2020-13926 | — | < 3.1.0 | 3.1.0 | Jul 14, 2020 | Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous v | ||
| CVE-2020-13925 | — | < 3.1.0 | 3.1.0 | Jul 14, 2020 | Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remot | ||
| CVE-2020-1937 | — | < 2.6.5 | 2.6.5 | Feb 24, 2020 | Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries. |
- CVE-2022-44621Dec 30, 2022affected >= 2.0.0, < 4.0.3fixed 4.0.3
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.
- CVE-2022-24697Oct 13, 2022affected < 4.0.2fixed 4.0.2
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system comma
- CVE-2020-13926Jul 14, 2020affected < 3.1.0fixed 3.1.0
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous v
- CVE-2020-13925Jul 14, 2020affected < 3.1.0fixed 3.1.0
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remot
- CVE-2020-1937Feb 24, 2020affected < 2.6.5fixed 2.6.5
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.