CVE-2021-45456

CWE-77Command Injection4 documents4 sources
Severity
9.8CRITICAL
EPSS
47.8%
top 2.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache KylinApache Kylin
Timeline
PublishedJan 6
Latest updateJan 8

Description

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.kylin:kylin< 4.0.1
NVDapache/kylin4.0.0
CVEListV5apache_software_foundation/apache_kylinApache Kylin 4 4.0.0

🔴Vulnerability Details

3
GHSA
Command Injection in Apache Kylin2022-01-08
OSV
Command Injection in Apache Kylin2022-01-08
CVEList
Command injection2022-01-06