参考:
- https://nvd.nist.gov/vuln/detail/CVE-2020-1956
- Apache Kylin历史漏洞分析
- https://community.sonarsource.com/t/apache-kylin-3-0-1-command-injection-vulnerability/25706
- https://developer.baidu.com/topic/show/290847
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
据说环境不好搭,还是用docker吧。