Apache

Kylin

21 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.3

CVE-2025-61735

  • EPSS 0.04%
  • Veröffentlicht 02.10.2025 10:15:40
  • Zuletzt bearbeitet 03.10.2025 18:50:46

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to ...

7.5

CVE-2025-61734

  • EPSS 0.03%
  • Veröffentlicht 02.10.2025 10:15:40
  • Zuletzt bearbeitet 03.10.2025 18:51:22

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommen...

7.5

CVE-2025-61733

  • EPSS 0.06%
  • Veröffentlicht 02.10.2025 10:15:39
  • Zuletzt bearbeitet 03.10.2025 18:51:58

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

7.2

CVE-2025-30067

  • EPSS 0.15%
  • Veröffentlicht 27.03.2025 15:16:02
  • Zuletzt bearbeitet 11.04.2025 18:06:34

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the rem...

6.5

CVE-2024-48944

  • EPSS 0.09%
  • Veröffentlicht 27.03.2025 15:15:53
  • Zuletzt bearbeitet 01.04.2025 15:44:43

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1...

9.1

CVE-2024-23590

  • EPSS 0.44%
  • Veröffentlicht 04.11.2024 10:15:04
  • Zuletzt bearbeitet 10.07.2025 21:41:27

Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.

7.5

CVE-2023-29055

  • EPSS 0.1%
  • Veröffentlicht 29.01.2024 13:15:07
  • Zuletzt bearbeitet 13.02.2025 17:16:17

In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is ...

9.8

CVE-2022-44621

  • EPSS 0.79%
  • Veröffentlicht 30.12.2022 11:15:10
  • Zuletzt bearbeitet 11.04.2025 15:15:40

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.

8.8

CVE-2022-43396

  • EPSS 0.24%
  • Veröffentlicht 30.12.2022 11:15:10
  • Zuletzt bearbeitet 11.04.2025 15:15:39

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

9.8

CVE-2022-24697

  • EPSS 55.95%
  • Veröffentlicht 13.10.2022 13:15:09
  • Zuletzt bearbeitet 16.05.2025 14:15:27

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inj...