Description
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.
Remediation
References
https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow
http://www.openwall.com/lists/oss-security/2022/01/06/5
Related Vulnerabilities
CVE-2021-39171 Vulnerability in npm package passport-saml
CVE-2023-48711 Vulnerability in npm package google-translate-api-browser
CVE-2022-45921 Vulnerability in maven package io.fusionauth:fusionauth-java-client
CVE-2021-45458 Vulnerability in maven package org.apache.kylin:kylin-core-common
CVE-2022-33140 Vulnerability in maven package org.apache.nifi.registry:nifi-registry-core