{"id":"CVE-2022-43396","details":"In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.","aliases":["GHSA-f5q9-j9r2-34gq"],"modified":"2026-04-10T04:52:04.457617Z","published":"2022-12-30T11:15:10.407Z","references":[{"type":"FIX","url":"https://lists.apache.org/thread/ob2ks04zl5ms0r44cd74y1xdl1rzfd1r"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/kylin","events":[{"introduced":"0"},{"fixed":"322ab6e5ee9738c5a07165af398c1faeeeacb079"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.0.3"}]}}],"versions":["kylin-4.0.0-alpha","kylin-4.0.0-beta","kylin-4.0.2","v0.6.1","v0.6.1_mysql_auth"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-43396.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}