CyberSec.Space Logo
返回 CVE 浏览器

CVE-2020-13926

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0940%
EPSS Percentile7.80th
Published2020年7月14日
Last Modified2024年11月21日

Vulnerability Description

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.

Affected Platforms (CPE)

📦
Apache

Kylin

>= 2.0.0 and < 3.1.0

References & Advisories

🔗 https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E
🔗 https://lists.apache.org/thread.html/r63d5663169e866d44ff9250796193337cff7d9cf61cc3839e86163fd%40%3Cuser.kylin.apache.org%3E
🔗 https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E
🔗 https://lists.apache.org/thread.html/r63d5663169e866d44ff9250796193337cff7d9cf61cc3839e86163fd%40%3Cuser.kylin.apache.org%3E

相关漏洞威胁

CVE-2021-454569.8

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. Ther...

CVE-2020-139259.8

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them...

CVE-2021-315229.8

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and pr...

CVE-2020-19568.8

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input...