CVE-2024-48944: Apache Kylin: SSRF vulnerability in the diagnosis api

[Li Yang <liyang () apache org>]

Severity: low

Affected versions:

- Apache Kylin 5.0.0 through 5.0.1

Description:

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a 
request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two 
preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the 
"/kylin/api/xxx/diag" api

endpoint open for service.


This issue affects Apache Kylin: from 5.0.0 
through 

5.0.1.

Users are recommended to upgrade to version 5.0.2, which fixes the issue.

This issue is being tracked as KYLIN-5644 

Credit:

Zevi <linzmgx () gmail com> (finder)

References:

https://kylin.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-48944
https://issues.apache.org/jira/browse/KYLIN-5644