Severity: important
Description:
Diagnosis Controller miss parameter validation, so user may attacked by command
injection via HTTP Request.
Work Arounds:
Users of Kylin 2.x & Kylin 3.x & 4.x should upgrade to 4.0.3 or apply patch
https://github.com/apache/kylin/pull/2011
https://github.com
Severity: important
Description:
In the fix for CVE-2022-24697, a blacklist is used to filter user input
commands. But there is a risk of being bypassed. The user can control the
command by controlling the kylin.engine.spark-cmd parameter of conf.
Work Arounds:
Users of Kylin 2.x & Kylin 3.x
