Lucene search

[email protected]CVE-2020-1937

HistoryFeb 24, 2020 - 9:15 p.m.

CVE-2020-1937

2020-02-2421:15:16

CWE-89

[email protected]

web.nvd.nist.gov

kylin

sql injection

api vulnerability

nvd

cve-2020-1937

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.1%

JSON

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.

Affected configurations

Vulners

NVD

Node

apachekylinRange2.4.0–2.4.1

apachekylinRange2.5.0–2.5.2

apachekylinRange2.6.0–2.6.4

apachekylinRange≤3.0.0-alpha

apachekylinRange≤3.0.0-alpha2

apachekylinRange≤3.0.0-beta

apachekylinRange≤3.0.0

CPENameOperatorVersion
apache:kylinapache kylinle2.3.2
apache:kylinapache kylinle2.4.1
apache:kylinapache kylinle2.5.2
apache:kylinapache kylinle2.6.4
apache:kylinapache kylineq3.0.0

CPE	Name	Operator	Version
apache:kylin	apache kylin	le	2.3.2
apache:kylin	apache kylin	le	2.4.1
apache:kylin	apache kylin	le	2.5.2
apache:kylin	apache kylin	le	2.6.4
apache:kylin	apache kylin	eq	3.0.0

CNA Affected

[
  {
    "product": "Apache Kylin",
    "vendor": "Apache",
    "versions": [
      {
        "status": "affected",
        "version": "ApacheKylin 2.3.0 to 2.3.2"
      },
      {
        "status": "affected",
        "version": "2.4.0 to 2.4.1"
      },
      {
        "status": "affected",
        "version": "2.5.0 to 2.5.2"
      },
      {
        "status": "affected",
        "version": "2.6.0 to 2.6.4"
      },
      {
        "status": "affected",
        "version": "3.0.0-alpha"
      },
      {
        "status": "affected",
        "version": "3.0.0-alpha2"
      },
      {
        "status": "affected",
        "version": "3.0.0-beta"
      },
      {
        "status": "affected",
        "version": "3.0.0"
      }
    ]
  }
]

References

lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E

lists.apache.org/thread.html/r61666760d8a4e8764b2d5fe158d8a48b569414480fbfadede574cdc0%40%3Ccommits.kylin.apache.org%3E

lists.apache.org/thread.html/rc574fef23740522f62ab3bbda4f6171be98aa7a25f3f54be143a80a8%40%3Cuser.kylin.apache.org%3E

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.1%

JSON

Related for CVE-2020-1937

veracode1 nvd1 github1 githubexploit1 prion1 osv2 cvelist1