CVE-2022-43396 & CVE-2022-44621: Command injection in Apache Kylin