Platform
java
Component
org.apache.kylin:kylin-common-server
Fixed in
5.0.2
5.0.2
CVE-2024-48944 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Apache Kylin. This vulnerability allows an authenticated attacker to potentially leak information by forging requests to internal hosts. The issue affects Apache Kylin versions 5.0.0 and prior, and a fix is available in version 5.0.2.
The SSRF vulnerability in Apache Kylin allows an attacker with administrative privileges to craft malicious requests. By exploiting this flaw, an attacker can potentially trigger requests to internal services or hosts that are not directly accessible from the outside world. This could lead to information disclosure, as the attacker might be able to access sensitive data exposed through the /kylin/api/xxx/diag endpoint on internal systems. The potential blast radius is limited to internal resources accessible from the Kylin server, but the impact can be significant if those resources contain sensitive data.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate widespread exploitation. The vulnerability was publicly disclosed on 2025-03-27. Given the requirement for administrative access, exploitation is likely to be targeted and require insider knowledge or compromised credentials.
Exploit Status
EPSS
0.14% (34% percentile)
The primary mitigation for CVE-2024-48944 is to upgrade Apache Kylin to version 5.0.2 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider restricting network access to the Kylin server to prevent it from reaching internal resources. Implement strict firewall rules to limit outbound connections from the Kylin server. Additionally, review and secure any internal services exposed through the /kylin/api/xxx/diag endpoint to minimize potential data leakage. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability and verifying that the request is blocked.
Upgrade Apache Kylin to version 5.0.2 or higher. This version corrects the SSRF vulnerability in the diagnostic API. The upgrade will prevent attackers with administrative access to a Kylin server from forging requests to other internal hosts and obtaining sensitive information.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-48944 is a Server-Side Request Forgery vulnerability in Apache Kylin versions 5.0.0 and earlier, allowing attackers with admin access to potentially leak information by forging requests to internal hosts.
You are affected if you are running Apache Kylin versions 5.0.0 or earlier. Upgrade to 5.0.2 or later to mitigate the vulnerability.
Upgrade Apache Kylin to version 5.0.2 or later. As a temporary workaround, restrict network access to the Kylin server to prevent it from reaching internal resources.
There is no confirmed evidence of active exploitation at this time, but the vulnerability remains a potential risk.
Refer to the Apache Kylin security advisories on the Apache project website for the latest information and updates: https://kylin.apache.org/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.