org.apache.kylin:kylin-spark-engine@4.0.0-alpha vulnerabilities

latest version

4.0.4

latest non vulnerable version

4.0.4

first published

5 years ago

latest version published

1 years ago

licenses detected

Apache-2.0
[4.0.0-alpha,)

package registry

View on Maven Central Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kylin:kylin-spark-engine package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Command Injection Affected versions of this package are vulnerable to Command Injection due to an incomplete fix for CVE-2022-24697. The blacklist is used to filter user input commands, but there is a risk of being bypassed. The user can control the command by controlling the `kylin.engine.spark-cmd` parameter of `conf`. How to fix Command Injection? Upgrade `org.apache.kylin:kylin-spark-engine` to version 4.0.3 or higher.	[2.0.0,4.0.3)
H Remote Code Execution (RCE) Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of `“-- conf=”` to inject any operating system command into the command line parameters. How to fix Remote Code Execution (RCE)? Upgrade `org.apache.kylin:kylin-spark-engine` to version 4.0.2 or higher.	[2.0.0,4.0.2)

Command Injection

Affected versions of this package are vulnerable to Command Injection due to an incomplete fix for CVE-2022-24697. The blacklist is used to filter user input commands, but there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

How to fix Command Injection?

Upgrade org.apache.kylin:kylin-spark-engine to version 4.0.3 or higher.

[2.0.0,4.0.3)

Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.kylin:kylin-spark-engine to version 4.0.2 or higher.

[2.0.0,4.0.2)

Go back to all versions of this package