org.apache.kylin:kylin-server-base@4.0.0 vulnerabilities

  • latest version

    4.0.4

  • latest non vulnerable version

  • first published

    8 years ago

  • latest version published

    1 years ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.apache.kylin:kylin-server-base package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Command Injection

    org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

    Affected versions of this package are vulnerable to Command Injection due to the Diagnosis Controller missing parameter validation, allowing an attacker to send malicious HTTP requests.

    How to fix Command Injection?

    Upgrade org.apache.kylin:kylin-server-base to version 4.0.3 or higher.

    [2.0.0,4.0.3)
    • H
    Remote Code Execution (RCE)

    org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

    Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters.

    How to fix Remote Code Execution (RCE)?

    Upgrade org.apache.kylin:kylin-server-base to version 4.0.2 or higher.

    [2.0.0,4.0.2)
    • H
    Improper Input Validation

    org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

    Affected versions of this package are vulnerable to Improper Input Validation due to the possibility to receive user input and load any class through Class.forName(...).

    How to fix Improper Input Validation?

    Upgrade org.apache.kylin:kylin-server-base to version 4.0.1, 3.1.3 or higher.

    [4.0.0-alpha,4.0.1)[,3.1.3)
    • H
    Remote Code Execution (RCE)

    org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

    Affected versions of this package are vulnerable to Remote Code Execution (RCE). When checking the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability.

    How to fix Remote Code Execution (RCE)?

    Upgrade org.apache.kylin:kylin-server-base to version 4.0.1 or higher.

    [4.0.0,4.0.1)