GHSA-f5q9-j9r2-34gq

Опубликовано: 30 дек. 2022

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Apache Kylin vulnerable to Command injection by Useless configuration

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

Ссылки

Пакеты

Наименование

org.apache.kylin:kylin

maven

Затронутые версииВерсия исправления

>= 2.0.0, < 4.0.3

4.0.3

EPSS

Процентиль: 59%

0.00387

Низкий

8.8 High

CVSS3

CVE ID

CVE-2022-43396

Дефекты

CWE-184

CWE-77

Связанные уязвимости

CVE-2022-43396

CVSS3: 8.8

nvd

около 3 лет назад

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

EPSS

Процентиль: 59%

0.00387

Низкий

8.8 High

CVSS3

CVE ID

CVE-2022-43396

Дефекты

CWE-184

CWE-77