Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.

Affected Packages

Maven org.apache.kylin:kylin

Affected versions: 0 (fixed in 3.1.3)

Related CVEs

CVE-2021-36774

Key Information

GHSA ID

GHSA-5429-pjww-7675

Published

January 8, 2022 12:43 AM

Last Modified

August 8, 2023 8:44 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.kylin:kylin

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.