Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
apache kylin vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2022-44621
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.
Apache Kylin
1 Github repository
9.8
CVSSv3
CVE-2022-24697
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any opera...
Apache Kylin
9.8
CVSSv3
CVE-2021-45456
Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal proj...
Apache Kylin 4.0.0
9.8
CVSSv3
CVE-2021-31522
Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
Apache Kylin
Apache Kylin 4.0.0
9.8
CVSSv3
CVE-2020-13925
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remot...
Apache Kylin
1 Github repository
9.8
CVSSv3
CVE-2020-13926
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous v...
Apache Kylin
8.8
CVSSv3
CVE-2022-43396
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.
Apache Kylin
8.8
CVSSv3
CVE-2020-1956
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
Apache Kylin
Apache Kylin 3.0.0
Apache Kylin 3.0.1
1 Github repository
8.8
CVSSv3
CVE-2020-1937
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
Apache Kylin
Apache Kylin 3.0.0
7.5
CVSSv3
CVE-2023-29055
In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network...
Apache Kylin
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4761
command injection
CVE-2024-3676
IDOR
CVE-2024-30039
CVE-2024-32113
CVE-2024-30049
CVE-2024-4776
SQL injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »