CVE-2021-45456 — CRITICAL (9.8)

Vulnerability Description

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Kylin	4.0.0

Related Weaknesses (CWE)

CWE-77

References

http://www.openwall.com/lists/oss-security/2022/01/06/1Mailing ListThird Party Advisory
https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpfMailing ListVendor Advisory
http://www.openwall.com/lists/oss-security/2022/01/06/1Mailing ListThird Party Advisory
https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpfMailing ListVendor Advisory

FAQ

What is CVE-2021-45456?

CVE-2021-45456 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used a...

How severe is CVE-2021-45456?

CVE-2021-45456 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-45456?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Kylin.