Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.

Affected Packages

Maven org.apache.kylin:kylin

Affected versions: 0 (fixed in 4.0.1)

Related CVEs

CVE-2021-45456

Key Information

GHSA ID

GHSA-hw3m-8h25-8frw

Published

January 8, 2022 12:42 AM

Last Modified

January 7, 2022 10:53 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.kylin:kylin

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.