org.apache.kylin:kylin-core-common 4.0.0-alpha vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kylin:kylin-core-common package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Insufficiently Protected Credentials org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the Server Config web interface which displays the content of the `kylin.properties` file. An attacker can hijack the HTTP payload and gain access to potentially sensitive information, including server-side credentials, if the service is running over HTTP or another plaintext protocol. Note: This is only exploitable if the kylin service is accessible to external attackers and is not protected by HTTPS or network firewalls. How to fix Insufficiently Protected Credentials? Upgrade `org.apache.kylin:kylin-core-common` to version 4.0.4 or higher.	[2.0.0,4.0.4)
H Command Injection org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Command Injection due to an incomplete fix for CVE-2022-24697. The blacklist is used to filter user input commands, but there is a risk of being bypassed. The user can control the command by controlling the `kylin.engine.spark-cmd` parameter of `conf`. How to fix Command Injection? Upgrade `org.apache.kylin:kylin-core-common` to version 4.0.3 or higher.	[2.0.0,4.0.3)
H Remote Code Execution (RCE) org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of `“-- conf=”` to inject any operating system command into the command line parameters. How to fix Remote Code Execution (RCE)? Upgrade `org.apache.kylin:kylin-core-common` to version 4.0.2 or higher.	[2.0.0,4.0.2)
M Insecure Encryption org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Insecure Encryption. If users use class `PasswordPlaceholderConfigurer` to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. How to fix Insecure Encryption? Upgrade `org.apache.kylin:kylin-core-common` to version 3.1.3, 4.0.1 or higher.	[,3.1.3)[4.0.0-alpha,4.0.1)
M Cryptographic Issues org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Cryptographic Issues due to usage of insecure `AES/ECB/PKCS5Padding`. How to fix Cryptographic Issues? Upgrade `org.apache.kylin:kylin-core-common` to version kylin-3.1.0 or higher.	[,kylin-3.1.0)

Vulnerability

Vulnerable Version

Insufficiently Protected Credentials

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the Server Config web interface which displays the content of the kylin.properties file. An attacker can hijack the HTTP payload and gain access to potentially sensitive information, including server-side credentials, if the service is running over HTTP or another plaintext protocol.

Note:

This is only exploitable if the kylin service is accessible to external attackers and is not protected by HTTPS or network firewalls.

How to fix Insufficiently Protected Credentials?

Upgrade org.apache.kylin:kylin-core-common to version 4.0.4 or higher.

[2.0.0,4.0.4)

Command Injection

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Command Injection due to an incomplete fix for CVE-2022-24697. The blacklist is used to filter user input commands, but there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

How to fix Command Injection?

Upgrade org.apache.kylin:kylin-core-common to version 4.0.3 or higher.

[2.0.0,4.0.3)

Remote Code Execution (RCE)

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.kylin:kylin-core-common to version 4.0.2 or higher.

[2.0.0,4.0.2)

Insecure Encryption

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Insecure Encryption. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted.

How to fix Insecure Encryption?

Upgrade org.apache.kylin:kylin-core-common to version 3.1.3, 4.0.1 or higher.

[,3.1.3)[4.0.0-alpha,4.0.1)

Cryptographic Issues

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Cryptographic Issues due to usage of insecure AES/ECB/PKCS5Padding.

How to fix Cryptographic Issues?

Upgrade org.apache.kylin:kylin-core-common to version kylin-3.1.0 or higher.

[,kylin-3.1.0)

org.apache.kylin:kylin-core-common@4.0.0-alpha vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?