org.apache.kylin:kylin
Maven9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.kylin:kylinpage 1 of 1
- CVE-2020-13937MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.0.0-beta2020-10-19
vulnerable: 4.0.0-alpha
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api w…
- CVE-2021-27738HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.32022-01-06
vulnerable: 0.7.1-incubating ... 3.1.2 (41 versions)
All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as …
- CVE-2021-31522CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.0.12022-01-06
vulnerable: 4.0.0
Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior version…
- CVE-2021-36774MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.1.32022-01-06
vulnerable: 0.7.1-incubating ... 3.1.2 (41 versions)
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled maliciou…
- CVE-2021-45456CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.0.12022-01-06
vulnerable: 0.7.1-incubating ... 4.0.0-beta (45 versions)
Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in Diagnos…
- CVE-2021-45457HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.12022-01-06
vulnerable: 4.0.0
In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0…
- CVE-2021-45458HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.12022-01-06
vulnerable: 4.0.0
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use cl…
- CVE-2022-43396HIGHCVSS 8.8EG 8.8✓ Fixed in 4.0.32022-12-30
vulnerable: 2.0.0 ... 4.0.2 (32 versions)
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.
- CVE-2024-23590CRITICALCVSS 9.1EG 9.1✓ Fixed in 5.0.02024-11-04
vulnerable: 2.0.0 ... 5.0.0-beta (36 versions)
Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.
Check whether org.apache.kylin:kylin is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.kylin:kylin CVEs against the assets you own.
Start Free Scan →