Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <3f686759-fe4a-59e7-c03b-a10e69815b1e@apache.org>
Date: Thu, 27 Mar 2025 01:24:49 +0000
From: Li Yang <liyang@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-48944: Apache Kylin: SSRF vulnerability in the diagnosis
 api 

Severity: low

Affected versions:

- Apache Kylin 5.0.0 through 5.0.1

Description:

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api

endpoint open for service.


This issue affects Apache Kylin: from 5.0.0 
through 

5.0.1.

Users are recommended to upgrade to version 5.0.2, which fixes the issue.

This issue is being tracked as KYLIN-5644 

Credit:

Zevi <linzmgx@...il.com> (finder)

References:

https://kylin.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-48944
https://issues.apache.org/jira/browse/KYLIN-5644

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.