This is an automated email from the ASF dual-hosted git repository.
liyang pushed a commit to branch doc5.0
in repository https://gitbox.apache.org/repos/asf/kylin.git
The following commit(s) were added to refs/heads/doc5.0 by this push:
new a145bfd9bb update security page
a145bfd9bb is described below
commit a145bfd9bb802d73e1563ab12cc9a51cdc5f9f49
Author: lionelcao <[email protected]>
AuthorDate: Sat Mar 29 12:33:15 2025 +0800
update security page
---
website/docs/development/security.md | 53 ++++++++++++++++++++++++++++++++++--
1 file changed, 51 insertions(+), 2 deletions(-)
diff --git a/website/docs/development/security.md
b/website/docs/development/security.md
index addaf9734e..fb0a9ad5fa 100644
--- a/website/docs/development/security.md
+++ b/website/docs/development/security.md
@@ -18,11 +18,10 @@ last_update:
---
# Apache Kylin Security
-
The Apache Software Foundation takes security issues very seriously.
Apache Kylin specifically offers security features and is responsive to issues
around its features.
If you have any concern around Kylin Security or believe you have uncovered a
vulnerability,
-we suggest that you get in touch via the e-mail address [[email protected]].
+we suggest that you get in touch via the e-mail address
```[email protected]```.
In the message, try to provide a description of the issue and ideally a way of
reproducing it.
The security team will get back to you after assessing the description.
@@ -34,4 +33,54 @@ Please report any security problems to the project security
address before discl
The ASF Security team maintains a page with a description of how
vulnerabilities are handled,
check their [Web page](http://apache.org/security/) for more information.
+# Known Security Issues
+## CVE-2024-48944: Apache Kylin: SSRF vulnerability in the diagnosis api
+Severity: low
+
+Affected versions:
+
+- Apache Kylin 5.0.0 through 5.0.1
+
+Description:
+
+Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a
kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag"
api on another internal host and possibly get leaked information. There are two
preconditions: 1) The attacker has got admin access to a kylin server; 2)
Another internal host has the "/kylin/api/xxx/diag" api
+
+endpoint open for service.
+
+
+This issue affects Apache Kylin: from 5.0.0
+through
+
+5.0.1.
+
+Users are recommended to upgrade to version 5.0.2, which fixes the issue.
+
+This issue is being tracked as KYLIN-5644
+
+Credit:
+
+- Zevi (finder)
+
+## CVE-2025-30067: Apache Kylin: The remote code execution via jdbc url
+
+Severity: low
+
+Affected versions:
+
+- Apache Kylin 4.0.0 through 5.0.1
+
+Description:
+
+Improper Control of Generation of Code ('Code Injection') vulnerability in
Apache Kylin.
+If an attacker gets access to Kylin's system or project admin permission, the
JDBC connection configuration maybe altered to execute arbitrary code from the
remote. You are fine as long as the Kylin's system and project admin access is
well protected.
+
+This issue affects Apache Kylin: from 4.0.0 through 5.0.1.
+
+Users are recommended to upgrade to version 5.0.2 or above, which fixes the
issue.
+
+This issue is being tracked as KYLIN-5994
+
+Credit:
+
+Pho3n1x (finder)
