CVE-2025-61734: Apache Kylin Files or Directories Accessible to External Parties

The vulnerability, identified as CVE-2025-61734, allows external parties to access files and directories in Apache Kylin. My analysis of the provided patch reveals that the root cause is twofold: insufficient validation of host parameters in several API endpoints and path traversal vulnerabilities in file handling services.\n\n1. Insufficient Host Validation: Multiple methods within the NSystemController and OpsController classes accepted a host parameter for remote operations, such as metadata backup and diagnostic package management. These endpoints did not validate whether the provided host was a legitimate part of the Kylin cluster. An attacker could exploit this by providing a malicious host address, causing the Kylin server to send requests to or interact with an arbitrary machine. This could lead to information disclosure or be used as a vector for other attacks. The patch introduces a checkServer method in NBasicController which is now called by all the affected endpoints to ensure the host is a known and trusted server.\n\n2. Path Traversal: The FileService was susceptible to a path traversal attack. The getMetadataBackupFromTmpPath method used a user-provided file path without adequate sanitization. By crafting a path with directory traversal sequences (e.g., ../), an attacker could read files from arbitrary locations on the server's filesystem. The fix involves a new getSafeAbsolutePath method that normalizes the path and ensures it is within the designated temporary directory, effectively preventing traversal outside of it.\n\n3. Insecure File Creation from Principal: The ProjectService's generateTempKeytab method was vulnerable because it used the principal name to construct a filename without proper validation. A malicious principal name containing path characters could have been used to write a keytab file to an arbitrary location on the filesystem. The patch adds a checkPrincipal method to sanitize the input, checking for invalid characters, length, and path traversal patterns.\n\nIn summary, the vulnerability stems from a lack of input validation on parameters that are used to construct file paths or specify remote hosts. Any runtime profile showing calls to the identified vulnerable functions with unvalidated, user-controlled input for parameters like host, tmpFilePath, or principal would be a strong indicator of attempted or successful exploitation.