CVE-2021-31522

Summary

CVE	CVE-2021-31522
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-01-06 13:15:00 UTC
Updated	2022-01-12 20:52:00 UTC
Description	Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Risk And Classification

Problem Types: CWE-470

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Kylin	All	All	All	All
Application	Apache	Kylin	4.0.0	-	All	All
Application	Apache	Kylin	4.0.0	alpha	All	All
Application	Apache	Kylin	4.0.0	beta	All	All
Application	Apache	Kylin	All	All	All	All

References

Reference	Source	Link	Tags
oss-security - CVE-2021-31522: Apache Kylin unsafe class loading	MLIST	www.openwall.com
lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw	MISC	lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: bo yu <[email protected]>

There are currently no legacy QID mappings associated with this CVE.