oss-sec mailing list archives

[CVE-2020-1956] Apache Kylin command injection vulnerability

From: George Ni <nic () apache org>
Date: Wed, 20 May 2020 12:49:32 +0800

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Kylin 2.3.0 to 2.3.2
Kylin 2.4.0 to 2.4.1
Kylin 2.5.0 to 2.5.2
Kylin 2.6.0 to 2.6.5
Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0, Kylin
3.0.1

Description:
Kylin has some restful apis which will concatenate os command with the user
input string, a user is likely to be able to execute any os command without
any protection or validation.

Mitigation:
Users should upgrade to 3.0.2 or 2.6.6 or set
kylin.tool.auto-migrate-cube.enabled to false to disable command execution.

Credit:
This issue was discovered by Johannes Dahse.

References:
https://kylin.apache.org/docs/security.html

-- 

---------------------

Best regards,



Ni Chunen / George

Current thread:

[CVE-2020-1956] Apache Kylin command injection vulnerability George Ni (May 19)