[
https://issues.apache.org/jira/browse/KYLIN-5994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yinghao Lin updated KYLIN-5994:
-------------------------------
Description: There is a vulnerability on adding jdbc data source with
unchecked jdbc url which may cause kylin server connect to a malicious remote
server and get unexpected result with code execution script invoked. (from
Pho3n1x) (was: There is a vulnerability on adding jdbc data source with
unchecked jdbc url which may cause kylin server connect to a malicious remote
server and get unexpected result with code execution script invoked. (from
Pho3n1x)
DBs and its' vulnerable url parameters are:
*derby*
- startMaster
- slaveHost
*mysql*
- autoDeserialize
- queryInterceptors
- statementInterceptors
- detectCustomCollations
*h2*
- INIT=RUNSCRIPT
*ibm db2*
- clientRerouteServerListJNDIName
*sqlite*
- resource:xxx
*bad JDBC scheme*
- jdbc:jcr:jndi
- jdbc:mysql:fabric)
> JDBC remote code execution vulnerability
> ----------------------------------------
>
> Key: KYLIN-5994
> URL: https://issues.apache.org/jira/browse/KYLIN-5994
> Project: Kylin
> Issue Type: Bug
> Components: RDBMS Source
> Affects Versions: 5.0.0
> Reporter: Yinghao Lin
> Priority: Major
> Fix For: 5.0.1
>
>
> There is a vulnerability on adding jdbc data source with unchecked jdbc url
> which may cause kylin server connect to a malicious remote server and get
> unexpected result with code execution script invoked. (from Pho3n1x)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
