Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/01/06/4 | Mailing List Patch Third Party Advisory |
https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
12 Jan 2022, 20:52
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
CPE | cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:* cpe:2.3:a:apache:kylin:4.0.0:alpha:*:*:*:*:*:* cpe:2.3:a:apache:kylin:4.0.0:beta:*:*:*:*:*:* cpe:2.3:a:apache:kylin:4.0.0:-:*:*:*:*:*:* |
|
References | (MISC) https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw - Patch, Vendor Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2022/01/06/4 - Mailing List, Patch, Third Party Advisory | |
CWE | CWE-470 | |
First Time |
Apache
Apache kylin |
06 Jan 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Jan 2022, 13:29
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-01-06 13:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-31522
Mitre link : CVE-2021-31522
CVE.ORG link : CVE-2021-31522
JSON object : View
Products Affected
apache
- kylin
CWE
CWE-470
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')