org.apache.kylin:kylin-core-common@2.6.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kylin:kylin-core-common package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Insufficiently Protected Credentials

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the Server Config web interface which displays the content of the kylin.properties file. An attacker can hijack the HTTP payload and gain access to potentially sensitive information, including server-side credentials, if the service is running over HTTP or another plaintext protocol.

Note:

This is only exploitable if the kylin service is accessible to external attackers and is not protected by HTTPS or network firewalls.

How to fix Insufficiently Protected Credentials?

Upgrade org.apache.kylin:kylin-core-common to version 4.0.4 or higher.

[2.0.0,4.0.4)
  • H
Command Injection

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Command Injection due to an incomplete fix for CVE-2022-24697. The blacklist is used to filter user input commands, but there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

How to fix Command Injection?

Upgrade org.apache.kylin:kylin-core-common to version 4.0.3 or higher.

[2.0.0,4.0.3)
  • H
Remote Code Execution (RCE)

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.kylin:kylin-core-common to version 4.0.2 or higher.

[2.0.0,4.0.2)
  • M
Insecure Encryption

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Insecure Encryption. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted.

How to fix Insecure Encryption?

Upgrade org.apache.kylin:kylin-core-common to version 3.1.3, 4.0.1 or higher.

[,3.1.3) [4.0.0-alpha,4.0.1)
  • H
Arbitrary Code Execution

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Arbitrary Code Execution as it allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes.

How to fix Arbitrary Code Execution?

Upgrade org.apache.kylin:kylin-core-common to version 3.1.3 or higher.

[,3.1.3)
  • H
Command Injection

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Command Injection. Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

How to fix Command Injection?

Upgrade org.apache.kylin:kylin-core-common to version 2.3.2, 2.4.1, 2.5.2, 2.6.5 or higher.

[2.3.0,2.3.2) [2.4.0,2.4.1) [2.5.0,2.5.2) [2.6.0,2.6.5)