CVE-2021-45456: 
Java vulnerability analysis and mitigation

Apache Kylin version 4.0.0 contains a command injection vulnerability (CVE-2021-45456) discovered in January 2022. The vulnerability exists in the DiagnosisService where there is a mismatch between project name validation and shell command argument usage. When checking the legitimacy of a project before executing commands with user-provided project names, the validation process and actual command execution use different versions of the input, potentially allowing malicious input to bypass security checks (Openwall Mailing).

The vulnerability stems from a mismatch between the project name validation using ValidateUtil.convertStringToBeAlphanumericUnderscore(project) and the actual shell command argument which uses the raw project name. This discrepancy allows attackers to bypass input validation checks. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (GitHub Security Lab, NVD).

If successfully exploited, this vulnerability could lead to post-authentication remote code execution. An attacker with the ability to create projects could execute arbitrary commands on the affected system (GitHub Security Lab).

Users of Apache Kylin 4.0.0 should upgrade to version 4.0.1 or apply the patch available at https://github.com/apache/kylin/pull/1781 (Openwall Mailing).