CVE-2021-45456
CRITICALApache Kylin 4.0.0 - Command Injection via Project Name Parameter
Title source: llmDescription
Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.
References (2)
Core 2
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/01/06/1
Scores
CVSS v3
9.8
EPSS
0.3782
EPSS Percentile
97.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (2)
apache/kylin
4.0.0 (3 CPE variants)
org.apache.kylin/kylin
0 - 4.0.1Maven
Published
Jan 06, 2022
Tracked Since
Feb 18, 2026