oss-sec mailing list archives
[CVE-2020-1956] Apache Kylin command injection vulnerability
From: George Ni <nic () apache org>
Date: Wed, 20 May 2020 12:49:32 +0800
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Kylin 2.3.0 to 2.3.2 Kylin 2.4.0 to 2.4.1 Kylin 2.5.0 to 2.5.2 Kylin 2.6.0 to 2.6.5 Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0, Kylin 3.0.1 Description: Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation. Mitigation: Users should upgrade to 3.0.2 or 2.6.6 or set kylin.tool.auto-migrate-cube.enabled to false to disable command execution. Credit: This issue was discovered by Johannes Dahse. References: https://kylin.apache.org/docs/security.html -- --------------------- Best regards, Ni Chunen / George
Current thread:
- [CVE-2020-1956] Apache Kylin command injection vulnerability George Ni (May 19)