CVE-2020-1956
published 2020-05-22CVE-2020-1956: Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | kylin | — | — |
| apache | kylin | — | — |
| apache | kylin | — | — |
| apache | kylin | — | — |
| apache | kylin | — | — |
| apache | kylin | — | — |
| apache | kylin | — | — |
| apache | kylin | >= 2.3.0 < 3.1.0 | 3.1.0 |
| apache | kylin | 2.3.0 – 2.3.2 | — |
| apache | kylin | 2.5.0 – 2.5.2 | — |
| apache | kylin | 2.6.0 – 2.6.5 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH