[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [SECURITY][CVE-2020-13926] Apache Kylin SQL injection vulnerability
From:       ShaoFeng Shi <shaofengshi () apache ! org>
Date:       2020-07-14 3:41:29
Message-ID: CANfpUcud+xBT1jg3k7t-XGzuQxKumZHBf+SMGNakd9Rwnh0gew () mail ! gmail ! com
[Download RAW message or body]


Versions Affected: 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1,
2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6,
3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2

Description:

Kylin concatenates and executes some Hive SQL statements in Hive CLI or
beeline when building new segments; some parts of the SQL are from system
configurations, while the configuration can be overwritten by certain rest
API, which makes SQL injection attack is possible.

Mitigation:
Users of all previous versions after 2.0 should upgrade to 3.1.0.

Credit:
We would like to thank Rupeng Wang from Kyligence for reporting and fix
this issue.

Best regards,

Shaofeng Shi =E5=8F=B2=E5=B0=91=E9=94=8B
Apache Kylin PMC
Email: shaofengshi@apache.org

Apache Kylin FAQ: https://kylin.apache.org/docs/gettingstarted/faq.html
Join Kylin user mail group: user-subscribe@kylin.apache.org
Join Kylin dev mail group: dev-subscribe@kylin.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]