CVE-2022-24697

Published: Oct 13, 2022

Modified: May 16, 2025

PUBLISHED

Description

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.

Vendor	Product	Versions
Apache Software Foundation	Apache Kylin	affected `Apache Kylin 2 - < 2.6.6` affected `Apache Kylin 3 - <= 3.1.2` affected `Apache Kylin 4 - <= 4.0.1`

References

https://lists.apache.org/thread/07mnn9c7o314wrhrwjr10w9j5s82voj4

[oss-security] 20221230 CVE-2022-43396: Apache Kylin: Command injection by Useless configuration

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-24697

Description

Affected Products

References