CVE-2020-13926

CWE-89 — SQL Injection4 documents4 sources

Severity

9.8CRITICAL

EPSS

3.1%

top 13.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Kylin

Timeline

PublishedJul 14

Latest updateJul 27

Description

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/kylin2.0.0 — 3.1.0

▶Mavenorg.apache.kylin:kylin-server-base< 3.1.0

▶CVEListV5apache_kylinApache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2

🔴Vulnerability Details

GHSA

SQL Injection in Kylin↗2020-07-27

▶

OSV

SQL Injection in Kylin↗2020-07-27

▶

CVEList

CVE-2020-13926: Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, whi↗2020-07-14

▶