CyberSec.Space Logo
返回 CVE 浏览器

CVE-2020-13925

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0670%
EPSS Percentile18.07th
Published2020年7月14日
Last Modified2024年11月21日

Vulnerability Description

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.

Affected Platforms (CPE)

📦
Apache

Kylin

>= 2.3.0 and < 3.1.0

References & Advisories

🔗 https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E
🔗 https://lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cuser.kylin.apache.org%3E
🔗 https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E
🔗 https://lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cuser.kylin.apache.org%3E

相关漏洞威胁

CVE-2021-454569.8

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. Ther...

CVE-2020-139269.8

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system...

CVE-2021-315229.8

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and pr...

CVE-2020-19568.8

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input...