CVE-2021-36774

CWE-668 — Exposure to Wrong Sphere CWE-89 — SQL Injection4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.8%

top 25.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Kylin Apache Kylin

Timeline

PublishedJan 6

Latest updateJan 8

Description

Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.kylin:kylin< 3.1.3

▶NVDapache/kylin2.0.0 — 2.6.6+1

▶CVEListV5apache_software_foundation/apache_kylinApache Kylin 2 — 2.6.6+1

🔴Vulnerability Details

OSV

SQL Injection in Apache Kylin↗2022-01-08

▶

GHSA

SQL Injection in Apache Kylin↗2022-01-08

▶

CVEList

Mysql JDBC Connector Deserialize RCE↗2022-01-06

▶