CyberSec.Space Logo
Back to CVE Browser

CVE-2021-31522

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1400%
EPSS Percentile0.69th
PublishedJan 6, 2022
Last ModifiedNov 21, 2024

Vulnerability Description

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Affected Platforms (CPE)

πŸ“¦
Apache

Kylin

>= 2.0.0 and <= 2.6.6
πŸ“¦
Apache

Kylin

>= 3.0.0 and < 3.1.3
πŸ“¦
Apache

Kylin

= 4.0.0
πŸ“¦
Apache

Kylin

= 4.0.0
πŸ“¦
Apache

Kylin

= 4.0.0

References & Advisories

πŸ”— http://www.openwall.com/lists/oss-security/2022/01/06/4
πŸ”— https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
πŸ”— http://www.openwall.com/lists/oss-security/2022/01/06/4
πŸ”— https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw

Related Vulnerabilities

CVE-2021-454569.8

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. Ther...

CVE-2020-139259.8

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them...

CVE-2020-139269.8

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system...

CVE-2020-19568.8

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input...