![]() |
|
Message-ID: <3f686759-fe4a-59e7-c03b-a10e69815b1e@apache.org> Date: Thu, 27 Mar 2025 01:24:49 +0000 From: Li Yang <liyang@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2024-48944: Apache Kylin: SSRF vulnerability in the diagnosis api Severity: low Affected versions: - Apache Kylin 5.0.0 through 5.0.1 Description: Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api endpoint open for service. This issue affects Apache Kylin: from 5.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2, which fixes the issue. This issue is being tracked as KYLIN-5644 Credit: Zevi <linzmgx@...il.com> (finder) References: https://kylin.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-48944 https://issues.apache.org/jira/browse/KYLIN-5644
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.