CVE-2021-45456

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-45456

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-45456.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-45456

Aliases

GHSA-hw3m-8h25-8frw

Published

2022-01-06T13:15:08Z

Modified

2024-09-03T03:58:48.216691Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.

References

Affected packages

Git / github.com/apache/kylin

Affected ranges

Type: GIT
Repo: https://github.com/apache/kylin
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

546381392c55136310f591969e5a3f3db6074988

Last affected

a285f9a5b84affc36c5466ce5a1b2fcdb4348b37

Last affected

aa6d582c0a96fdf31e85791f86850cfc00a7644f

Affected versions

kylin-0.*

kylin-0.6.3

kylin-0.7.1-incubating

kylin-0.7.2-incubating

kylin-1.*

kylin-1.0-incubating

kylin-1.1-incubating

kylin-1.1.1-incubating

kylin-1.2

kylin-4.*

kylin-4.0.0-alpha

kylin-4.0.0-beta

v0.*

v0.6.1

v0.6.1_mysql_auth

v0.6.2

v0.6.4

v0.6.5