Lucene search

PRIOn knowledge basePRION:CVE-2020-1956

HistoryMay 22, 2020 - 2:15 p.m.

Input validation

2020-05-2214:15:00

PRIOn knowledge base

www.prio-n.com

8.7 High

AI Score

Confidence

High

0.974 High

EPSS

Percentile

99.9%

JSON

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

CPENameOperatorVersion
kylinge2.5.0
kylinle2.5.2
kylinge2.4.0
kylinle2.4.1
kylinge2.3.0
kylinle2.3.2
kylineq3.0.0 alpha
kylineq3.0.0 alpha2
kylineq3.0.0 beta
kylineq3.0.0

Name	Operator	Version
kylin	ge	2.5.0
kylin	le	2.5.2
kylin	ge	2.4.0
kylin	le	2.4.1
kylin	ge	2.3.0
kylin	le	2.3.2
kylin	eq	3.0.0 alpha
kylin	eq	3.0.0 alpha2
kylin	eq	3.0.0 beta
kylin	eq	3.0.0

Rows per page:

1-10 of 131

References

www.openwall.com/lists/oss-security/2020/07/14/1

community.sonarsource.com/t/apache-kylin-3-0-1-command-injection-vulnerability/25706

lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E

lists.apache.org/thread.html/r1332ef34cf8e2c0589cf44ad269fb1fb4c06addec6297f0320f5111d%40%3Cuser.kylin.apache.org%3E

lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cannounce.apache.org%3E

lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cdev.kylin.apache.org%3E

lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cuser.kylin.apache.org%3E

lists.apache.org/thread.html/r61666760d8a4e8764b2d5fe158d8a48b569414480fbfadede574cdc0%40%3Ccommits.kylin.apache.org%3E