In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the `kylin.engine.spark-cmd` parameter of `conf`.

Affected Packages

Maven org.apache.kylin:kylin

Affected versions: 2.0.0 (fixed in 4.0.3)

Related CVEs

CVE-2022-43396

Key Information

GHSA ID

GHSA-f5q9-j9r2-34gq

Published

December 30, 2022 12:30 PM

Last Modified

January 10, 2023 4:13 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.kylin:kylin

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.