Cyber Resilience

CVE-2022-24697

CriticalRCE

Published: 13 October 2022

Published
13 October 2022
Modified
16 May 2025
KEV Added
Patch
30 December 2022
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1359 94.4th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24697 is a critical-severity OS Command Injection (CWE-78) vulnerability in Apache Kylin. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache Kylin contains a command injection vulnerability in its cube designer function, specifically when system parameters are overwritten through the configuration overwrites menu. By closing the single quotation marks around the value of the "--conf=" parameter, an attacker can inject arbitrary operating system commands. The flaw affects Kylin 2 versions up to and including 2.6.5, Kylin 3 versions up to and including 3.1.2, and Kylin 4 versions up to and including 4.0.1, and carries a CVSS score of 9.8 under CWE-78.

Unauthenticated remote attackers can exploit the issue over the network without user interaction to achieve full remote code execution on the affected Kylin instance, potentially compromising confidentiality, integrity, and availability of the system.

Public advisories published through the Apache mailing lists and oss-security detail the affected releases and recommend upgrading to patched versions once available. The EPSS score rose materially from lower values to a peak of 0.4033 on 2025-12-11 before receding to the current 0.1359, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system…

more

command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
kylin
2.0.0 — 2.6.6 · 3.0.0 — 3.1.2 · 4.0.0 — 4.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References