Main Vulnerability Database Vulnerabilities #VU59274

#VU59274 OS Command Injection in Apache Kylin - CVE-2021-45456

Published: January 6, 2022

Vulnerability identifier: #VU59274

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-45456

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Kylin

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exist due to improper input validation when processing project names. A remote user can pass a specially crafted project name that is later passed as the shell command argument in DiagnosisService and execute arbitrary OS commands on the system.

Remediation

Install updates from vendor's website.

External links

https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf
http://www.openwall.com/lists/oss-security/2022/01/06/1

#VU59274 OS Command Injection in Apache Kylin - CVE-2021-45456

Description

Remediation

External links

Please verify you're human