Server-Side Request Forgery in Apache Kylin by The Apache Software Foundation
CVE-2024-48944

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Kylin
Vendor: CVE Published:; 27 March 2025

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in Apache Kylin, allowing authenticated attackers with admin access to forge requests. This can lead to unauthorized access to the '/kylin/api/xxx/diag' API on another internal server, potentially resulting in sensitive information leakage. It is crucial for users running versions 5.0.0 or 5.0.1 to upgrade to version 5.0.2 to mitigate this risk.

Affected Version(s)

Apache Kylin 5.0.0 <= 5.0.1

References

https://lists.apache.org/thread/1xxxtdfh9hzqsqgb1pd9grb8h...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Oct 9, 2024

Credit

Zevi <[email protected]>