Lucene search

K

ApacheCVELIST:CVE-2020-1956

HistoryMay 22, 2020 - 1:27 p.m.

CVE-2020-1956

2020-05-2213:27:43

apache

www.cve.org

1

9.3 High

AI Score

Confidence

High

0.974 High

EPSS

Percentile

99.9%

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

CNA Affected

[
  {
    "product": "Kylin",
    "vendor": "Apache",
    "versions": [
      {
        "status": "affected",
        "version": "2.3.0"
      },
      {
        "status": "affected",
        "version": "<=2.6.5"
      },
      {
        "status": "affected",
        "version": "<=3.0.1"
      }
    ]
  }
]

References

www.openwall.com/lists/oss-security/2020/07/14/1

community.sonarsource.com/t/apache-kylin-3-0-1-command-injection-vulnerability/25706

lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E

lists.apache.org/thread.html/r1332ef34cf8e2c0589cf44ad269fb1fb4c06addec6297f0320f5111d%40%3Cuser.kylin.apache.org%3E

lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cannounce.apache.org%3E

lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cdev.kylin.apache.org%3E

lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cuser.kylin.apache.org%3E

lists.apache.org/thread.html/r61666760d8a4e8764b2d5fe158d8a48b569414480fbfadede574cdc0%40%3Ccommits.kylin.apache.org%3E

9.3 High

AI Score

Confidence

High

0.974 High

EPSS

Percentile

99.9%

Related for CVELIST:CVE-2020-1956

nvd2 nessus1 cve2 prion2 github2 checkpoint_advisories1 cisa_kev1 nuclei1 githubexploit1 veracode1 osv4 cvelist1 attackerkb2