|
|||
Rule General Information |
---|
Release Date: | 2020-09-01 | |
Rule Name: | Apache Kylin REST API migrateCube Command Injection Vulnerability (CVE-2020-1956) | |
Severity: | ||
CVE ID: | ||
Rule Protection Details |
---|
Description: | Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation. | |
Impact: | An attacker can execute arbitrary command via a successful exploit in the context of the vulnerable software. | |
Affected OS: | Windows, Others | |
Reference: | http://www.openwall.com/lists/oss-security/2020/07/14/1 https://community.sonarsource.com/t/apache-kylin-3-0-1-command-injection-vulnerability/25706 https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf@%3Ccommits.kylin.apache.org%3E https://lists.apache.org/thread.html/r1332ef34cf8e2c0589cf44ad269fb1fb4c06addec6297f0320f5111d%40%3Cuser.kylin.apache.org%3E |
|
Solutions |
---|
The vendors have released upgrade patches to fix vulnerabilities, please visit: https://lists.apache.org/thread.html/r1332ef34cf8e2c0589cf44ad269fb1fb4c06addec6297f0320f5111d%40%3Cuser.kylin.apache.org%3E |