You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kylin.apache.org by Xiaoxiang Yu <xx...@apache.org> on 2022/12/30 07:23:22 UTC

CVE-2022-43396: Apache Kylin: Command injection by Useless configuration

Severity: important

Description:

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

Work Arounds:

Users of Kylin 2.x & Kylin 3.x & 4.x should upgrade to 4.0.3 or apply patch  https://github.com/apache/kylin/pull/2011 https://github.com/apache/kylin/pull/2011

Credit:

Yasax1 Li <pp...@gmail.com> (finder)


References:

https://lists.apache.org/thread/o53vqxjdd9q731bwqpgcqyzx9r716qwx
https://kylin.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-43396
















--

Best wishes to you ! 
From ：Xiaoxiang Yu