Lucene search

Veracode Vulnerability DatabaseVERACODE:25474

HistoryMay 21, 2020 - 7:13 a.m.

OS Command Injection

2020-05-2107:13:05

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.974 High

EPSS

Percentile

99.9%

JSON

kylin-server-base is vulnerable to OS Command Injection. The vulnerability exists as the values of srcCfgUri, dstCfgUri, and projectName, in CubeService.java is not properly handled.

CPENameOperatorVersion
apache kylin - rest server basele2.6.5
apache kylin - rest server basele2.5.2
apache kylin - rest server basele2.3.2
apache kylin - rest server basele2.4.1
apache kylin - rest server basele3.0.1

Name	Operator	Version
apache kylin - rest server base	le	2.6.5
apache kylin - rest server base	le	2.5.2
apache kylin - rest server base	le	2.3.2
apache kylin - rest server base	le	2.4.1
apache kylin - rest server base	le	3.0.1

References

www.openwall.com/lists/oss-security/2020/07/14/1

community.sonarsource.com/t/apache-kylin-3-0-1-command-injection-vulnerability/25706

github.com/apache/kylin/commit/0888c867a52479840a6f3fcd812f9305a95b8dfd

kylin.apache.org/docs/security.html

lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf@%3Ccommits.kylin.apache.org%3E

lists.apache.org/thread.html/r1332ef34cf8e2c0589cf44ad269fb1fb4c06addec6297f0320f5111d%40%3Cuser.kylin.apache.org%3E

lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb@%3Cannounce.apache.org%3E

lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb@%3Cdev.kylin.apache.org%3E

lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb@%3Cuser.kylin.apache.org%3E

lists.apache.org/thread.html/r61666760d8a4e8764b2d5fe158d8a48b569414480fbfadede574cdc0@%3Ccommits.kylin.apache.org%3E

seclists.org/oss-sec/2020/q2/133

0.974 High

EPSS

Percentile

99.9%

JSON

Related for VERACODE:25474