CVE-2020-1956

Summary

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

Affected Software

VendorProductVersion RangeStatus
ApacheKylin2.3.0affected
ApacheKylin<=2.6.5affected
ApacheKylin<=3.0.1affected

Weaknesses

  • Command Injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References