CVE-2020-1956 — Command Injection in Kylin

Description

Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

How to fix CVE-2020-1956

To remediate CVE-2020-1956, upgrade the affected package to a fixed version below.

Maven/org.apache.kylin:kylin-core-common—upgrade to 2.6.6 or later

Is CVE-2020-1956 being exploited?

Yes — CVE-2020-1956 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

from 0, < 2.6.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

References (18)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-1956
PATCHgithub.com/apache/kylin
WEBcommunity.sonarsource.com/t/apache-kylin-3-0-1-command-injection-vulnerability/25706
WEBgithub.com/apache/kylin/commit/58fad56ac6aaa43c6bd8f962d7f2d84438664092