{"schema_version": "1.6.1", "id": "CVE-2024-48944", "summary": "SSRF vulnerability in the diagnosis api", "details": "Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke \"/kylin/api/xxx/diag\" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the \"/kylin/api/xxx/diag\" api\n\nendpoint open for service.\n\n\nThis issue affects Apache Kylin: from 5.0.0 \nthrough \n\n5.0.1.\n\nUsers are recommended to upgrade to version 5.0.2, which fixes the issue.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "5.0.0"}, {"last_affected": "5.0.0"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/1xxxtdfh9hzqsqgb1pd9grb8hvqdyc9x"}]}