CyberSec.Space Logo
CVEブラウザに戻る

CVE-2020-13926

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0940%
EPSS Percentile7.80th
Published2020年7月14日
Last Modified2024年11月21日

Vulnerability Description

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.

Affected Platforms (CPE)

📦
Apache

Kylin

>= 2.0.0 and < 3.1.0

References & Advisories

🔗 https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E
🔗 https://lists.apache.org/thread.html/r63d5663169e866d44ff9250796193337cff7d9cf61cc3839e86163fd%40%3Cuser.kylin.apache.org%3E
🔗 https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E
🔗 https://lists.apache.org/thread.html/r63d5663169e866d44ff9250796193337cff7d9cf61cc3839e86163fd%40%3Cuser.kylin.apache.org%3E

関連する脆弱性情報

CVE-2021-454569.8

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. Ther...

CVE-2020-139259.8

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them...

CVE-2021-315229.8

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and pr...

CVE-2020-19568.8

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input...