Apache Kylin 2.3.x < 2.3.3 / 2.4.x < 2.4.2 / 2.5.x < 2.5.3 / 2.6.x < 2.6.6 / 3.x < 3.0.2 Command Injection (CVE-2020-1956)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(186352);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/28");

  script_cve_id("CVE-2020-1956");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");

  script_name(english:"Apache Kylin 2.3.x < 2.3.3 / 2.4.x < 2.4.2 / 2.5.x < 2.5.3 / 2.6.x < 2.6.6 / 3.x < 3.0.2 Command Injection (CVE-2020-1956)");

  script_set_attribute(attribute:"synopsis", value:
"The application running on the remote host is affected by a command injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The instance of Apache Kylin running on the remote host is 2.3.x prior to 2.3.3, 2.4.x prior to 2.4.2, 2.5.x prior to 
2.5.3, 2.6.x prior to 2.6.6 or 3.x prior to 3.0.2. Therefore, it is affected by a command injection vulnerability due to
some restful APIs concatenating OS commands with user input strings. An authenticated, remote attacker with the 
MANAGEMENT or ADMIN permissions on any project can inject arbitrary system commands during Cube migration via the Kylin 
web interface.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported 
version number.");
  # https://community.sonarsource.com/t/tech-story-apache-kylin-3-0-1-command-injection-vulnerability/25706
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3b0bbbae");
  script_set_attribute(attribute:"see_also", value:"https://kylin.apache.org/docs/security.html");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2020-1956");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Kylin version 2.6.6, 3.0.2 or later or set kylin.tool.auto-migrate-cube.enabled to false.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1956");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/28");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:kylin");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_kylin_web_detect.nbin");
  script_require_keys("installed_sw/Apache Kylin", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');

var app = 'Apache Kylin';
var app_info = vcf::combined_get_app_info(app:app);

# config check: kylin.tool.auto-migrate-cube.enabled
if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

var constraints = [
  {'min_version': '2.3.0', 'fixed_version': '2.6.6'},
  {'min_version': '3.0.0-alpha', 'fixed_version': '3.0.2'}
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);