Service Notices
Apache Kylin Command Injection Vulnerability (CVE-2020-13925)
Jul 23, 2020 GMT+08:00
I. Overview
Security researchers have recently disclosed another command injection vulnerability (CVE-2020-13925) in multiple versions of Apache Kylin. Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers have the possibility to execute OS command remotely.
If you are an Apache Kylin user, check your service and implement timely security hardening.
Reference link:
https://sematext.com/opensee/m/Kylin/8WImheMu8TQPj232?subj=+SECURITY+CVE+2020+13925+Apache+Kylin+command+injection+vulnerability
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Apache Kylin 2.3.0 to 2.3.2
Apache Kylin 2.4.0 to 2.4.1
Apache Kylin 2.5.0 to 2.5.2
Apache Kylin 2.6.0 to 2.6.6
Apache Kylin 3.0.0-alpha, Apache Kylin 3.0.0-alpha2, Apache Kylin 3.0.0-beta, Apache Kylin 3.0.0, Apache Kylin 3.0.1, Apache Kylin 3.0.2
Secure version:
Apache Kylin 3.1.0
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
Download link: https://kylin.apache.org/download/
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.