CyberSec.Space Logo
返回 CVE 浏览器

CVE-2021-31522

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1400%
EPSS Percentile0.69th
Published2022年1月6日
Last Modified2024年11月21日

Vulnerability Description

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Affected Platforms (CPE)

📦
Apache

Kylin

>= 2.0.0 and <= 2.6.6
📦
Apache

Kylin

>= 3.0.0 and < 3.1.3
📦
Apache

Kylin

= 4.0.0
📦
Apache

Kylin

= 4.0.0
📦
Apache

Kylin

= 4.0.0

References & Advisories

🔗 http://www.openwall.com/lists/oss-security/2022/01/06/4
🔗 https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
🔗 http://www.openwall.com/lists/oss-security/2022/01/06/4
🔗 https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw

相关漏洞威胁

CVE-2021-454569.8

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. Ther...

CVE-2020-139259.8

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them...

CVE-2020-139269.8

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system...

CVE-2020-19568.8

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input...