CVE-2021-36774

moderate-risk

Published 2022-01-06

Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.

Do I need to act?

0.80% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Kylin

Affected Vendors

Apache

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2022/01/06/5

Mailing List https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow

Mailing List http://www.openwall.com/lists/oss-security/2022/01/06/5

Mailing List https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal