Vulnerability Description
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Kylin | >= 2.0.0, <= 2.6.6 |
References
- http://www.openwall.com/lists/oss-security/2022/01/06/5Mailing ListThird Party Advisory
- https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2owMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2022/01/06/5Mailing ListThird Party Advisory
- https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2owMailing ListVendor Advisory
FAQ
What is CVE-2021-36774?
CVE-2021-36774 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary...
How severe is CVE-2021-36774?
CVE-2021-36774 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-36774?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Kylin.