Homepage
About Snyk

org.apache.kylin:kylin-spark-engine@4.0.0-alpha vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kylin:kylin-spark-engine package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

Affected versions of this package are vulnerable to Command Injection due to an incomplete fix for CVE-2022-24697. The blacklist is used to filter user input commands, but there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

How to fix Command Injection?

Upgrade org.apache.kylin:kylin-spark-engine to version 4.0.3 or higher.

[2.0.0,4.0.3)
  • H
Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE) in cube designer function when overwriting system parameters in the configuration overwrites menu. An attacker can exploit this vulnerability by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.kylin:kylin-spark-engine to version 4.0.2 or higher.

[2.0.0,4.0.2)
Go back to all versions of this package