org.apache.kylin:kylin-server-base 2.5.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kylin:kylin-server-base package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Command Injection org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data. Affected versions of this package are vulnerable to Command Injection due to the `Diagnosis Controller` missing parameter validation, allowing an attacker to send malicious HTTP requests. How to fix Command Injection? Upgrade `org.apache.kylin:kylin-server-base` to version 4.0.3 or higher.	[2.0.0,4.0.3)
H Remote Code Execution (RCE) org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data. Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of `“-- conf=”` to inject any operating system command into the command line parameters. How to fix Remote Code Execution (RCE)? Upgrade `org.apache.kylin:kylin-server-base` to version 4.0.2 or higher.	[2.0.0,4.0.2)
H Improper Input Validation org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data. Affected versions of this package are vulnerable to Improper Input Validation due to the possibility to receive user input and load any class through `Class.forName(...)`. How to fix Improper Input Validation? Upgrade `org.apache.kylin:kylin-server-base` to version 4.0.1, 3.1.3 or higher.	[4.0.0-alpha,4.0.1)[,3.1.3)
C SQL Injection org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data. Affected versions of this package are vulnerable to SQL Injection. It has some restful API's which will concatenate SQLs with the user input string. How to fix SQL Injection? Upgrade `org.apache.kylin:kylin-server-base` to version 2.6.5, 3.0.1 or higher.	[2.3.0,2.6.5)[3.0.0,3.0.1)

Vulnerability

Vulnerable Version

Command Injection

org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

Affected versions of this package are vulnerable to Command Injection due to the Diagnosis Controller missing parameter validation, allowing an attacker to send malicious HTTP requests.

How to fix Command Injection?

Upgrade org.apache.kylin:kylin-server-base to version 4.0.3 or higher.

[2.0.0,4.0.3)

Remote Code Execution (RCE)

org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.kylin:kylin-server-base to version 4.0.2 or higher.

[2.0.0,4.0.2)

Improper Input Validation

org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

Affected versions of this package are vulnerable to Improper Input Validation due to the possibility to receive user input and load any class through Class.forName(...).

How to fix Improper Input Validation?

Upgrade org.apache.kylin:kylin-server-base to version 4.0.1, 3.1.3 or higher.

[4.0.0-alpha,4.0.1)[,3.1.3)

SQL Injection

org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

Affected versions of this package are vulnerable to SQL Injection. It has some restful API's which will concatenate SQLs with the user input string.

How to fix SQL Injection?

Upgrade org.apache.kylin:kylin-server-base to version 2.6.5, 3.0.1 or higher.

[2.3.0,2.6.5)[3.0.0,3.0.1)

org.apache.kylin:kylin-server-base@2.5.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?