In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-12-30
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.
CVSS Score
9.8
EPSS Score
0.007
Published
2022-12-30