Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                           CERT-Renater

               Note d'Information No. 2025/VULN180

_____________________________________________________________________

DATE                : 27/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Kylin versions prior to
                                       5.0.2.

=====================================================================
https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
https://lists.apache.org/thread/1xxxtdfh9hzqsqgb1pd9grb8hvqdyc9x
_____________________________________________________________________

CVE-2025-30067: Apache Kylin: The remote code execution via jdbc url
Severity: low

Affected versions:

- Apache Kylin 4.0.0 through 5.0.1

Description:

Improper Control of Generation of Code ('Code Injection') vulnerability
in Apache Kylin. 

If an attacker gets access to Kylin's system or project admin
permission, the JDBC connection configuration maybe altered to execute
arbitrary code from the remote. You are fine as long as the Kylin's
system and project admin access is well protected.

This issue affects Apache Kylin: from 4.0.0 through 5.0.1.

Users are recommended to upgrade to version 5.0.2 or above, which fixes
the issue.

This issue is being tracked as KYLIN-5994 


Credit:

Pho3n1x <ph...@qq.com> (finder)


References:

https://kylin.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-30067
https://issues.apache.org/jira/browse/KYLIN-5994

_____________________________________________________________________

CVE-2024-48944: Apache Kylin: SSRF vulnerability in the diagnosis api
Severity: low

Affected versions:

- Apache Kylin 5.0.0 through 5.0.1

Description: and SSRF

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin.
Through a kylin server, an attacker may forge a request to invoke
"/kylin/api/xxx/diag" api on another internal host and possibly get
leaked information. There are two preconditions: 1) The attacker has
got admin access to a kylin server; 2) Another internal host has the
"/kylin/api/xxx/diag" api

endpoint open for service.


This issue affects Apache Kylin: from 5.0.0 
through 

5.0.1.

Users are recommended to upgrade to version 5.0.2, which fixes
the issue.

This issue is being tracked as KYLIN-5644 


Credit:

Zevi <li...@gmail.com> (finder)


References:

https://kylin.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-48944
https://issues.apache.org/jira/browse/KYLIN-5644



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================