CVE-2021-36774
MEDIUMApache Kylin 2.0.0-2.6.6 and 3.0.0-3.1.2 - Remote Code Execution via MySQL JDBC Driver Properties
Title source: llmDescription
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.
References (2)
Core 2
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/01/06/5
Scores
CVSS v3
6.5
EPSS
0.0080
EPSS Percentile
74.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
Status
published
Products (2)
apache/kylin
2.0.0 - 2.6.6
org.apache.kylin/kylin
0 - 3.1.3Maven
Published
Jan 06, 2022
Tracked Since
Feb 18, 2026