Service Notices

All Notices > Security Notices > Apache Kylin Command Injection Vulnerability (CVE-2020-13925)

Apache Kylin Command Injection Vulnerability (CVE-2020-13925)

Jul 23, 2020 GMT+08:00

I. Overview

Security researchers have recently disclosed another command injection vulnerability (CVE-2020-13925) in multiple versions of Apache Kylin. Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers have the possibility to execute OS command remotely.

If you are an Apache Kylin user, check your service and implement timely security hardening.

Reference link:

https://sematext.com/opensee/m/Kylin/8WImheMu8TQPj232?subj=+SECURITY+CVE+2020+13925+Apache+Kylin+command+injection+vulnerability

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Kylin 2.3.0 to 2.3.2

Apache Kylin 2.4.0 to 2.4.1

Apache Kylin 2.5.0 to 2.5.2

Apache Kylin 2.6.0 to 2.6.6

Apache Kylin 3.0.0-alpha, Apache Kylin 3.0.0-alpha2, Apache Kylin 3.0.0-beta, Apache Kylin 3.0.0, Apache Kylin 3.0.1, Apache Kylin 3.0.2

Secure version:

Apache Kylin 3.1.0

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

Download link: https://kylin.apache.org/download/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.