Vulnerability Details : CVE-2021-36774
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.
Vulnerability category: Execute code
Products affected by CVE-2021-36774
- cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-36774
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-36774
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2021-36774
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-36774
-
http://www.openwall.com/lists/oss-security/2022/01/06/5
oss-security - CVE-2021-36774: Apache Kylin: Mysql JDBC Connector Deserialize RCEMailing List;Third Party Advisory
-
https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow
CVE-2021-36774: Apache Kylin: Mysql JDBC Connector Deserialize RCE-Apache Mail ArchivesMailing List;Vendor Advisory
Jump to