oss-sec mailing list archives

CVE-2022-44621: Apache Kylin: Command injection by Diagnosis Controller

From: Xiaoxiang Yu <xxyu () apache org>
Date: Fri, 30 Dec 2022 07:15:23 +0000

Severity: important

Description:

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.

Work Arounds:

Users of Kylin 2.x & Kylin 3.x & 4.x should upgrade to 4.0.3 or apply patch  https://github.com/apache/kylin/pull/2011 
https://github.com/apache/kylin/pull/2011

Credit:

Messy God <godimessy () gmail com> (finder)

References:

https://kylin.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-44621

Current thread:

CVE-2022-44621: Apache Kylin: Command injection by Diagnosis Controller Xiaoxiang Yu (Dec 30)