9

CVE-2020-1956

Warning
Exploit

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

Data is provided by the National Vulnerability Database (NVD)
ApacheKylin Version >= 2.3.0 <= 2.3.2
ApacheKylin Version >= 2.5.0 <= 2.5.2
ApacheKylin Version >= 2.6.0 <= 2.6.5
ApacheKylin Version2.4.0
ApacheKylin Version2.4.1
ApacheKylin Version3.0.0 Update-
ApacheKylin Version3.0.0 Updatealpha
ApacheKylin Version3.0.0 Updatealpha2
ApacheKylin Version3.0.0 Updatebeta
ApacheKylin Version3.0.1

25.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Kylin OS Command Injection Vulnerability

Vulnerability

Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 93.75% 0.998
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.