CVE-2025-30067
Published: 27 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-30067 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, affecting Apache Kylin versions from 4.0.0 through 5.0.1. The flaw allows manipulation of the JDBC connection configuration when an attacker possesses system or project admin permissions within Kylin. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high-impact potential with network accessibility but requiring high privileges.
An attacker with Kylin's system or project admin access can exploit this vulnerability by altering the JDBC connection configuration to execute arbitrary remote code. This enables full compromise of confidentiality, integrity, and availability on the affected system, as the code injection occurs without user interaction beyond the initial privilege attainment. Proper protection of admin credentials mitigates the risk, as exploitation hinges on prior access elevation.
Apache advisories recommend upgrading to version 5.0.2 or later, which resolves the issue. Detailed announcements are available in the Apache mailing list at https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/03/27/4.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Code injection vulnerability allows authenticated admin to achieve arbitrary remote code execution on the host, directly enabling T1068 (Exploitation for Privilege Escalation from app-level admin to system code exec) and T1059 (Command and Scripting Interpreter for running the injected code).