CVE-2022-24697

Name of the Vulnerable Software and Affected Versions Kylin versions 2.6.5 and earlier Kylin versions 3.1.2 and earlier Kylin versions 4.0.1 and earlier

Description The issue is related to a command injection vulnerability in Kylin's cube designer function. This occurs when overwriting system parameters in the configuration overwrites menu, allowing Remote Code Execution (RCE) by injecting operating system commands into the command line parameters. This is achieved by closing the single quotation marks around the parameter value of --conf=.

Recommendations For Kylin versions 2.6.5 and earlier, update to a version later than 2.6.5 to resolve the issue. For Kylin versions 3.1.2 and earlier, update to a version later than 3.1.2 to resolve the issue. For Kylin versions 4.0.1 and earlier, update to a version later than 4.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the configuration overwrites menu to minimize the risk of exploitation. Avoid using the --conf= parameter in the command line until the issue is resolved.