org.apache.kylin:kylin-server-base

vulnerable: 1.5.3 ... 3.0.2 (27 versions)

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have th…

vulnerable: 1.5.3 ... 3.0.2 (27 versions)

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection at…

vulnerable: 3.0.0

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.

vulnerable: 1.5.3 ... 4.0.1 (35 versions)

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- …

vulnerable: 2.0.0 ... 4.0.2 (32 versions)

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.