[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [SECURITY][CVE-2020-13925] Apache Kylin command injection vulnerability
From: ShaoFeng Shi <shaofengshi () apache ! org>
Date: 2020-07-14 3:31:04
Message-ID: CANfpUcv3P9nza4UAJSHGScvrft53c8APzOaD=6sf0zrD4tiNMA () mail ! gmail ! com
[Download RAW message or body]
Versions Affected: 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2,
2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2,
3.0.0-beta, 3.0.0, 3.0.1 3.0.2
Description:
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates
the API inputs into OS commands and then executes them on the server; while
the reported API misses necessary input validation, which causes the
hackers to have the possibility to execute OS command remotely.
Mitigation:
Users of all previous versions after 2.3 should upgrade to 3.1.0.
Credit:
We would like to thank Clancey <clanceyz@protonmail.com> for reporting
this issue.
Best regards,
Shaofeng Shi =E5=8F=B2=E5=B0=91=E9=94=8B
Apache Kylin PMC
Email: shaofengshi@apache.org
Apache Kylin FAQ: https://kylin.apache.org/docs/gettingstarted/faq.html
Join Kylin user mail group: user-subscribe@kylin.apache.org
Join Kylin dev mail group: dev-subscribe@kylin.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic