#VU59277 Input validation error in Apache Kylin - CVE-2021-31522

Cybersecurity Help s.r.o.

Published: 2022-01-06

Vulnerability identifier: #VU59277

Vulnerability risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-31522

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Kylin
Server applications / Database software

Vendor: Apache Foundation

Description

The vulnerability allows a remote user to compromise the affected application.

The vulnerability exists due to the application allows to load any class through Class.forName(...) call. A remote user can execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Kylin: 2.0.0, 2.1.0, 2.2.0, 2.3.0 - 2.3.2, 2.4.0 - 2.4.1, 2.5.0 - 2.5.2, 2.6.0 - 2.6.6, 3.0.0 - 3.0.2, 3.1.0 - 3.1.2, 4.0.0

External links
https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
https://www.openwall.com/lists/oss-security/2022/01/06/4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apache Kylin