CVE-2021-45456

high-risk

Published 2022-01-06

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.

Do I need to act?

47.8% chance of exploitation in next 30 days

EPSS score — higher than 52% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (3)

Kylin

Affected Vendors

Apache

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2022/01/06/1

Mailing List https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf

Mailing List http://www.openwall.com/lists/oss-security/2022/01/06/1

Mailing List https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 17/34 · Moderate

Exposure 9/34 · Low