CVE-2025-30067

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-30067
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/27/4 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*
History

11 Apr 2025, 18:06

Type Values Removed Values Added
References () https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc - () https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2025/03/27/4 - () http://www.openwall.com/lists/oss-security/2025/03/27/4 - Mailing List, Third Party Advisory
Summary
  • (es) Vulnerabilidad de control inadecuado de la generación de código (inyección de código) en Apache Kylin. Si un atacante obtiene acceso al sistema de Kylin o al permiso de administrador del proyecto, la configuración de la conexión JDBC podría modificarse para ejecutar código arbitrario desde el control remoto. Esto no tendrá problema siempre que el acceso al sistema de Kylin y al administrador del proyecto esté bien protegido. Este problema afecta a Apache Kylin desde la versión 4.0.0 hasta la 5.0.1. Se recomienda actualizar a la versión 5.0.2 o superior, que soluciona el problema.
CPE cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*
First Time Apache
Apache kylin

27 Mar 2025, 18:17

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.2

27 Mar 2025, 16:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/03/27/4 -

27 Mar 2025, 15:16

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-27 15:16

Updated : 2025-04-11 18:06

NVD link : CVE-2025-30067

Mitre link : CVE-2025-30067

CVE.ORG link : CVE-2025-30067

JSON object : View

Products Affected

apache

  • kylin
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')