org.apache.kylin:kylin
修复版本
5.0.2
5.0.2
CVE-2025-30067 describes a code injection vulnerability within Apache Kylin, specifically related to the improper control of code generation. This vulnerability allows an attacker with system or project admin privileges to potentially execute arbitrary code via manipulation of JDBC connection configurations. The vulnerability impacts versions of Apache Kylin from 4.0.0 through 5.0.1, and a fix is available in version 5.0.2.
Successful exploitation of CVE-2025-30067 hinges on an attacker gaining administrative access to the Apache Kylin system or project. Once this access is achieved, they can modify the JDBC connection configuration, injecting malicious code that will be executed remotely. The potential impact is significant, ranging from data exfiltration and system compromise to complete control of the Kylin instance. This could lead to the compromise of sensitive data processed by Kylin, disruption of business intelligence operations, and potentially, lateral movement within the network if Kylin is integrated with other systems. While the CVSS score is LOW, the requirement for admin privileges and the potential for severe consequences necessitate prompt remediation.
CVE-2025-30067 was publicly disclosed on March 27, 2025. As of this date, there are no publicly known proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is likely low due to the requirement for administrative privileges and the lack of public exploits, but diligent monitoring is still recommended.
Organizations heavily reliant on Apache Kylin for business intelligence and data analytics are at risk, particularly those with legacy configurations or inadequate access controls. Shared hosting environments where multiple users share access to the Kylin instance are also at increased risk, as a compromised user account could be leveraged to exploit this vulnerability.
• linux / server:
journalctl -u kylin-server | grep "JDBC connection"• java / platform: Inspect JDBC connection strings in Kylin's configuration files for unusual or unexpected parameters. • generic web: Review Kylin access logs for unusual JDBC connection attempts or errors related to connection configuration. • database (mysql, postgresql): If Kylin connects to a database, review database audit logs for suspicious queries originating from the Kylin server.
disclosure
漏洞利用状态
EPSS
0.34% (57% 百分位)
The primary mitigation for CVE-2025-30067 is to upgrade Apache Kylin to version 5.0.2 or later, which includes the necessary fix. If an immediate upgrade is not feasible, restrict access to Kylin's system and project admin roles to only trusted personnel. Implement robust authentication and authorization controls to prevent unauthorized access. Consider implementing a Web Application Firewall (WAF) with rules to detect and block suspicious JDBC connection attempts. Regularly review and audit JDBC connection configurations for any signs of tampering. After upgrading, verify the fix by attempting to establish a JDBC connection with a test user account and confirming that no arbitrary code execution is possible.
Actualice Apache Kylin a la versión 5.0.2 o superior. Esta actualización corrige la vulnerabilidad de inyección de código. Asegúrese de proteger adecuadamente el acceso de administrador del sistema y del proyecto de Kylin.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-30067 is a code injection vulnerability in Apache Kylin affecting versions up to 5.0.0-beta. An attacker with admin access can inject code through JDBC connection configuration.
You are affected if you are using Apache Kylin versions 4.0.0 through 5.0.1. Upgrade to 5.0.2 or later to mitigate the risk.
Upgrade Apache Kylin to version 5.0.2 or later. Restrict admin access and review JDBC connection configurations as an interim measure.
As of March 27, 2025, there are no publicly known active exploits for CVE-2025-30067.
Refer to the Apache Kylin security advisories on the Apache project website for the latest information and updates regarding CVE-2025-30067.
上传你的 pom.xml 文件,立即知道是否受影响。