CVE-2021-31522

EPSS 5.23%
Published 06.01.2022 13:15:08
Last modified 21.11.2024 06:05:51
Source security@apache.org
Teams watchlist Login
Open Login

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Kylin Version >= 2.0.0 <= 2.6.6

Apache ≫ Kylin Version >= 3.0.0 < 3.1.3

Apache ≫ Kylin Version4.0.0 Update-

Apache ≫ Kylin Version4.0.0 Updatealpha

Apache ≫ Kylin Version4.0.0 Updatebeta

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	5.23%	0.896

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

http://www.openwall.com/lists/oss-security/2022/01/06/4

Patch

Third Party Advisory

Mailing List

https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-31522

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-31522

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-31522

EUVD