|
|
|||
| Rule General Information |
|---|
| Release Date: | 2022-05-24 | |
| Rule Name: | Apache Kylin Command Injection Vulnerability (CVE-2021-45456 CVE-2020-13925) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0. | |
| Impact: | An attacker can execute arbitrary command via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | Windows, Others | |
| Reference: | http://www.openwall.com/lists/oss-security/2022/01/06/1 https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf |