Zevi

**Name of the Vulnerable Software and Affected Versions** Apache Kylin versions 5.0.0 through 5.0.1 **Description** A Server-Side Request Forgery (SSRF) issue affects Apache Kylin, allowing an attacker with admin access to a kylin server to forge a request to invoke the "/kylin/api/xxx/diag" API endpoint on another internal host, potentially leaking information. This requires two preconditions: the attacker must have admin access to a kylin server, and another internal host must have the "/kylin/api/xxx/diag" API endpoint open for service. **Recommendations** For Apache Kylin versions 5.0.0 through 5.0.1, upgrade to version 5.0.2 to fix the issue. As a temporary workaround, consider restricting access to the "/kylin/api/xxx/diag" API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache DolphinScheduler versions 3.1.0 through 3.2.1 **Description** A file read and write vulnerability exists in Apache DolphinScheduler, allowing authenticated users to illegally access additional resource files. **Recommendations** For Apache DolphinScheduler versions 3.1.0 through 3.2.1, upgrade to version 3.2.2 to fix the issue.