cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-23590,https://securityvulnerability.io/vulnerability/CVE-2024-23590,Session Fixation vulnerability in Apache Kylin,"Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.",Apache,Apache Kylin,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-04T09:27:06.050Z,0 CVE-2023-29055,https://securityvulnerability.io/vulnerability/CVE-2023-29055,Apache Kylin: Insufficiently protected credentials in config file,"In certain versions of Apache Kylin, a vulnerability exists within the Server Config web interface that inadvertently exposes the contents of the 'kylin.properties' file. This file may contain sensitive information such as server-side credentials, which can be compromised if the Kylin service runs over HTTP or other unencrypted protocols. Network attackers can utilize packet sniffing techniques to intercept the transmitted payload, leading to unauthorized access to sensitive configuration data. To mitigate this risk, it is crucial to enforce HTTPS for encrypted communication, refrain from storing credentials in 'kylin.properties' in plaintext, implement robust network firewalls to restrict access to internal servers, and upgrade to Apache Kylin 4.0.4 or later to ensure that sensitive information is properly filtered from the web interface.",Apache,Apache Kylin,7.5,HIGH,0.003389999968931079,false,,false,false,false,,,false,false,,2024-01-29T12:20:55.147Z,0 CVE-2022-44621,https://securityvulnerability.io/vulnerability/CVE-2022-44621,Apache Kylin: Command injection by Diagnosis Controller,"Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.",Apache,Apache Kylin,9.8,CRITICAL,0.005249999929219484,false,,false,false,false,,,false,false,,2022-12-30T10:31:52.614Z,0 CVE-2022-43396,https://securityvulnerability.io/vulnerability/CVE-2022-43396,Apache Kylin: Command injection by Useless configuration,"In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.",Apache,Apache Kylin,8.8,HIGH,0.0015800000401213765,false,,false,false,false,,,false,false,,2022-12-30T10:30:45.627Z,0 CVE-2022-24697,https://securityvulnerability.io/vulnerability/CVE-2022-24697,Apache Kylin prior to 4.0.2 allows command injection when the configuration overwrites function overwrites system parameters,"Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.",Apache,Apache Kylin,9.8,CRITICAL,0.12308000028133392,false,,false,false,false,,,false,false,,2022-10-13T00:00:00.000Z,0 CVE-2021-45458,https://securityvulnerability.io/vulnerability/CVE-2021-45458,Hardcoded credentials,"Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.",Apache,Apache Kylin,7.5,HIGH,0.002309999894350767,false,,false,false,false,,,false,false,,2022-01-06T12:35:24.000Z,0 CVE-2021-45457,https://securityvulnerability.io/vulnerability/CVE-2021-45457,"Overly broad CORS configuration ","In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.",Apache,Apache Kylin,7.5,HIGH,0.001610000035725534,false,,false,false,false,,,false,false,,2022-01-06T12:35:22.000Z,0 CVE-2021-45456,https://securityvulnerability.io/vulnerability/CVE-2021-45456,Command injection,"Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.",Apache,Apache Kylin,9.8,CRITICAL,0.00559999980032444,false,,false,false,false,,,false,false,,2022-01-06T12:35:21.000Z,0 CVE-2021-36774,https://securityvulnerability.io/vulnerability/CVE-2021-36774,Mysql JDBC Connector Deserialize RCE,"Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.",Apache,Apache Kylin,6.5,MEDIUM,0.0007399999885819852,false,,false,false,false,,,false,false,,2022-01-06T12:35:20.000Z,0 CVE-2021-31522,https://securityvulnerability.io/vulnerability/CVE-2021-31522,Apache Kylin unsafe class loading,Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.,Apache,Apache Kylin,9.8,CRITICAL,0.005160000175237656,false,,false,false,false,,,false,false,,2022-01-06T12:35:18.000Z,0 CVE-2021-27738,https://securityvulnerability.io/vulnerability/CVE-2021-27738,Improper Access Control to Streaming Coordinator & SSRF,"All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.",Apache,Apache Kylin,7.5,HIGH,0.001129999989643693,false,,false,false,false,,,false,false,,2022-01-06T12:35:17.000Z,0 CVE-2020-13937,https://securityvulnerability.io/vulnerability/CVE-2020-13937,,"Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone.",Apache,Apache Kylin,5.3,MEDIUM,0.97434002161026,false,,false,false,true,2022-10-18T14:11:16.000Z,true,false,false,,2020-10-19T20:33:18.000Z,0 CVE-2020-13926,https://securityvulnerability.io/vulnerability/CVE-2020-13926,,"Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.",Apache,Apache Kylin,9.8,CRITICAL,0.002420000033453107,false,,false,false,false,,,false,false,,2020-07-14T12:50:48.000Z,0 CVE-2020-13925,https://securityvulnerability.io/vulnerability/CVE-2020-13925,,"Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.",Apache,Apache Kylin,9.8,CRITICAL,0.006380000151693821,false,,false,false,true,2020-07-20T10:38:14.000Z,true,false,false,,2020-07-14T12:47:46.000Z,0 CVE-2020-1937,https://securityvulnerability.io/vulnerability/CVE-2020-1937,,"Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.",Apache,Apache Kylin,8.8,HIGH,0.0026100000832229853,false,,false,false,true,2021-01-06T13:31:20.000Z,true,false,false,,2020-02-24T20:57:52.000Z,0