CVE-2021-31522

Summary

Kylin can receive user input and load any class through Class.forName(…). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache KylinApache Kylin 2 <= 2.6.6affected
Apache Software FoundationApache KylinApache Kylin 3 <= 3.1.2affected
Apache Software FoundationApache KylinApache Kylin 4 <= 4.0.0affected

Weaknesses

  • load any class

Workarounds

Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1695. Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1763.

ADP Enrichment

CVE Program Container

Additional References

References