CVE-2021-31522
N/A
N/A
Summary
Kylin can receive user input and load any class through Class.forName(…). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Kylin | Apache Kylin 2 <= 2.6.6 | affected |
| Apache Software Foundation | Apache Kylin | Apache Kylin 3 <= 3.1.2 | affected |
| Apache Software Foundation | Apache Kylin | Apache Kylin 4 <= 4.0.0 | affected |
Weaknesses
- load any class
Workarounds
Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1695. Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1763.
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
- http://www.openwall.com/lists/oss-security/2022/01/06/4
References
- https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
- http://www.openwall.com/lists/oss-security/2022/01/06/4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.