CVE-2022-43396

CVE-2022-43396: Apache Kylin: Command injection by Useless configuration

Vendor Apache Software Foundation

Product Apache Kylin

Published December 30, 2022

Last update April 11, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

Key dates

Disclosure timeline

December 30, 2022 CVE published

April 11, 2025 Record updated