CVE-2022-43396
HIGH8.8EPSS 0.39%Apache Kylin vulnerable to Command injection by Useless configuration
發布日:2022/12/30修改日:2025/4/11
描述
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the `kylin.engine.spark-cmd` parameter of `conf`.
受影響套件(1)
- Maven/org.apache.kylin:kylin>= 2.0.0, < 4.0.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |