Search for packages
| purl | pkg:maven/org.apache.kylin/kylin@4.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2mp1-7zce-dkh8
Aliases: CVE-2023-29055 GHSA-3vvc-v8c2-43r7 |
Apache Kylin has Insufficiently Protected Credentials In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.properties and potentially the containing credentials. To avoid this threat, users are recommended to * Always turn on HTTPS so that network payload is encrypted. * Avoid putting credentials in kylin.properties, or at least not in plain text. * Use network firewalls to protect the serverside such that it is not accessible to external attackers. * Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes to the Server Config web interface. |
Affected by 5 other vulnerabilities. |
|
VCID-55ud-m45e-fqhk
Aliases: CVE-2022-24697 GHSA-ppxx-m926-g569 |
Apache Kylin vulnerable to remote code execution Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier. |
Affected by 8 other vulnerabilities. |
|
VCID-5h7z-8j2q-k3hk
Aliases: CVE-2025-61734 GHSA-p86w-w5rh-m3hx |
Apache Kylin Files or Directories Accessible to External Parties Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-74vu-bu5d-zqgq
Aliases: CVE-2025-61733 GHSA-mr9j-4j48-xcm2 |
Apache Kylin Authentication Bypass Vulnerability Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-7sr2-htxm-v7dw
Aliases: CVE-2022-44621 GHSA-w9rv-xmf7-x3gh |
Apache Kylin vulnerable to Command injection by Diagnosis Controller Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. |
Affected by 6 other vulnerabilities. |
|
VCID-8v1x-1x2n-vbhu
Aliases: CVE-2021-45458 GHSA-9fj5-jg6f-qg5r |
Inadequate Encryption Strength Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions. |
Affected by 9 other vulnerabilities. |
|
VCID-8ye7-t531-b7hw
Aliases: CVE-2020-13937 GHSA-2hpg-vwqj-6h6w |
Insecure Storage of Sensitive Information Apache Kylin has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone. |
Affected by 9 other vulnerabilities. |
|
VCID-dzkm-q626-pug7
Aliases: CVE-2025-61735 GHSA-f6m8-qm7j-fh65 |
Apache Kylin Server-Side Request Forgery (SSRF) Vulnerability Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-m89c-z84y-jug2
Aliases: CVE-2025-30067 GHSA-29m8-wh9p-5wc4 |
Apache Kylin Code Injection via JDBC Configuration Alteration Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-pjr6-y7uu-jqfd
Aliases: CVE-2021-45457 GHSA-mgpf-hhgf-cxg4 |
Insufficiently Protected Credentials In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions. |
Affected by 9 other vulnerabilities. |
|
VCID-ue1j-npxy-37cq
Aliases: CVE-2022-43396 GHSA-f5q9-j9r2-34gq |
Apache Kylin vulnerable to Command injection by Useless configuration In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the `kylin.engine.spark-cmd` parameter of `conf`. |
Affected by 6 other vulnerabilities. |
|
VCID-w2x3-2b5w-mbb7
Aliases: CVE-2021-45456 GHSA-hw3m-8h25-8frw |
Improper Neutralization of Special Elements used in a Command ('Command Injection') Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kyl |
Affected by 9 other vulnerabilities. |
|
VCID-x2j7-1kq5-e3ec
Aliases: CVE-2021-31522 GHSA-q656-g2x3-8cgh |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions. |
Affected by 9 other vulnerabilities. |
|
VCID-ygvg-2wzv-nubj
Aliases: CVE-2024-23590 GHSA-752q-72qc-rc66 |
Apache Kylin Session Fixation vulnerability Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||