CVE-2021-31522: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

January 6, 2022 (updated January 12, 2022)

Kylin can receive user input and load any class through Class.forName(…). This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.

References

www.openwall.com/lists/oss-security/2022/01/06/4
lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
nvd.nist.gov/vuln/detail/CVE-2021-31522

Code Behaviors & Features

Detect and mitigate CVE-2021-31522 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →