CVE-2024-48944

EPSS 0.15%

Apache Kylin Server-Side Request Forgery (SSRF) via `/kylin/api/xxx/diag` Endpoint

Published: 3/27/2025Modified: 3/27/2025

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api endpoint open for service. This issue affects Apache Kylin: from 5.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2, which fixes the issue.

Affected packages (1)

Maven/org.apache.kylin:kylin-common-server>= 5.0.0, < 5.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-48944
PATCHhttps://github.com/apache/kylin
WEBhttps://github.com/apache/kylin/commit/4e6a5acd799ae7543c7161e72ef1019c74d5b4ad
WEBhttps://issues.apache.org/jira/browse/KYLIN-5644
WEBhttps://lists.apache.org/thread/1xxxtdfh9hzqsqgb1pd9grb8hvqdyc9x