CVE-2022-43396

EPSS 0.24%
Veröffentlicht 30.12.2022 11:15:10
Zuletzt bearbeitet 11.04.2025 15:15:39
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Kylin Version < 4.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.473

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

https://lists.apache.org/thread/ob2ks04zl5ms0r44cd74y1xdl1rzfd1r

Patch

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-43396

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-43396

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-43396

EUVD