Apache Kylin Command Injection Vulnerability (CVE-2020-13925)
Jul 23, 2020 GMT+08:00
Security researchers have recently disclosed another command injection vulnerability (CVE-2020-13925) in multiple versions of Apache Kylin. Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers have the possibility to execute OS command remotely.
If you are an Apache Kylin user, check your service and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
Apache Kylin 2.3.0 to 2.3.2
Apache Kylin 2.4.0 to 2.4.1
Apache Kylin 2.5.0 to 2.5.2
Apache Kylin 2.6.0 to 2.6.6
Apache Kylin 3.0.0-alpha, Apache Kylin 3.0.0-alpha2, Apache Kylin 3.0.0-beta, Apache Kylin 3.0.0, Apache Kylin 3.0.1, Apache Kylin 3.0.2
Apache Kylin 3.1.0
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
Download link: https://kylin.apache.org/download/
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.