<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2020-1956] Apache Kylin command injection vulnerability
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: George Ni <nic () apache org>
Date: Wed, 20 May 2020 12:49:32 +0800
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Kylin 2.3.0 to 2.3.2
Kylin 2.4.0 to 2.4.1
Kylin 2.5.0 to 2.5.2
Kylin 2.6.0 to 2.6.5
Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0, Kylin
3.0.1
Description:
Kylin has some restful apis which will concatenate os command with the user
input string, a user is likely to be able to execute any os command without
any protection or validation.
Mitigation:
Users should upgrade to 3.0.2 or 2.6.6 or set
kylin.tool.auto-migrate-cube.enabled to false to disable command execution.
Credit:
This issue was discovered by Johannes Dahse.
References:
https://kylin.apache.org/docs/security.html
--
---------------------
Best regards,
Ni Chunen / George
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[CVE-2020-1956] Apache Kylin command injection vulnerability George Ni (May 19)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->