CRITICAL🇬🇧 English

CVE-2021-45456

CVSS 9.8v3.1pub. 2022-01-06upd. 2024-11-21

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Kylin

    APP
    Apache
    4.0.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2024-23590CRITICAL9.1PL ✓ten sam produkt

Session Fixation w Apache Kylin — przejęcie sesji użytkownika

CVE-2022-44621CRITICAL9.8ten sam produkt

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.

CVE-2022-24697CRITICAL9.8ten sam produkt

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the...

CVE-2021-31522CRITICAL9.8ten sam produkt

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 ...

CVE-2020-13925CRITICAL9.8ten sam produkt

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands an...

CVE-2021-45456 — CRITICAL 9.8 | CVEbaza.pl