org.apache.kylin:kylin-core-common 4.0.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kylin:kylin-core-common package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
L Arbitrary Code Injection org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Arbitrary Code Injection via the alteration of the JDBC connection configuration. An attacker can execute arbitrary code by modifying the JDBC settings if they gain system or project admin permissions. How to fix Arbitrary Code Injection? Upgrade `org.apache.kylin:kylin-core-common` to version 5.0.2 or higher.	[4.0.0,5.0.2)
M Insufficiently Protected Credentials org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the Server Config web interface which displays the content of the `kylin.properties` file. An attacker can hijack the HTTP payload and gain access to potentially sensitive information, including server-side credentials, if the service is running over HTTP or another plaintext protocol. Note: This is only exploitable if the kylin service is accessible to external attackers and is not protected by HTTPS or network firewalls. How to fix Insufficiently Protected Credentials? Upgrade `org.apache.kylin:kylin-core-common` to version 4.0.4 or higher.	[2.0.0,4.0.4)
H Command Injection org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Command Injection due to an incomplete fix for CVE-2022-24697. The blacklist is used to filter user input commands, but there is a risk of being bypassed. The user can control the command by controlling the `kylin.engine.spark-cmd` parameter of `conf`. How to fix Command Injection? Upgrade `org.apache.kylin:kylin-core-common` to version 4.0.3 or higher.	[2.0.0,4.0.3)
M Cryptographic Issues org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Cryptographic Issues due to usage of insecure `AES/ECB/PKCS5Padding`. How to fix Cryptographic Issues? Upgrade `org.apache.kylin:kylin-core-common` to version kylin-3.1.0 or higher.	[,kylin-3.1.0)

Vulnerability

Vulnerable Version

Arbitrary Code Injection

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the alteration of the JDBC connection configuration. An attacker can execute arbitrary code by modifying the JDBC settings if they gain system or project admin permissions.

How to fix Arbitrary Code Injection?

Upgrade org.apache.kylin:kylin-core-common to version 5.0.2 or higher.

[4.0.0,5.0.2)

Insufficiently Protected Credentials

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the Server Config web interface which displays the content of the kylin.properties file. An attacker can hijack the HTTP payload and gain access to potentially sensitive information, including server-side credentials, if the service is running over HTTP or another plaintext protocol.

Note:

This is only exploitable if the kylin service is accessible to external attackers and is not protected by HTTPS or network firewalls.

How to fix Insufficiently Protected Credentials?

Upgrade org.apache.kylin:kylin-core-common to version 4.0.4 or higher.

[2.0.0,4.0.4)

Command Injection

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Command Injection due to an incomplete fix for CVE-2022-24697. The blacklist is used to filter user input commands, but there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

How to fix Command Injection?

Upgrade org.apache.kylin:kylin-core-common to version 4.0.3 or higher.

[2.0.0,4.0.3)

Cryptographic Issues

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Cryptographic Issues due to usage of insecure AES/ECB/PKCS5Padding.

How to fix Cryptographic Issues?

Upgrade org.apache.kylin:kylin-core-common to version kylin-3.1.0 or higher.

[,kylin-3.1.0)

org.apache.kylin:kylin-core-common@4.0.2 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?