org.apache.kylin:kylin-server-base@4.0.0 vulnerabilities

org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

Affected versions of this package are vulnerable to Command Injection due to the Diagnosis Controller missing parameter validation, allowing an attacker to send malicious HTTP requests.

Upgrade org.apache.kylin:kylin-server-base to version 4.0.3 or higher.

org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters.

Upgrade org.apache.kylin:kylin-server-base to version 4.0.2 or higher.

org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

Affected versions of this package are vulnerable to Improper Input Validation due to the possibility to receive user input and load any class through Class.forName(...).

Upgrade org.apache.kylin:kylin-server-base to version 4.0.1, 3.1.3 or higher.

org.apache.kylin:kylin-server-base is a distributed analytical engine designed to provide OLAP capability for big data.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). When checking the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability.

Upgrade org.apache.kylin:kylin-server-base to version 4.0.1 or higher.