Command Injection Affecting org.apache.kylin:kylin-server package, versions [2.3.0, 3.1.0)

Exploit Maturity

Proof of concept
Attack Complexity

High
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-ORGAPACHEKYLIN-584373
published

14 Jul 2020
disclosed

14 Jul 2020
credit

Clancey

Report a new vulnerability Found a mistake?

Introduced: 14 Jul 2020

CVE-2020-13925 Open this link in a new tab CWE-78 Open this link in a new tab

How to fix?

Upgrade org.apache.kylin:kylin-server to version 3.1.0 or higher.

Overview

org.apache.kylin:kylin-server is an analytics Engine, contributed by eBay Inc., provides SQL interface and multi-dimensional analysis (OLAP) on Hadoop supporting extremely large datasets.

Affected versions of this package are vulnerable to Command Injection. It one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely.

Command Injection Affecting org.apache.kylin:kylin-server package, versions [2.3.0, 3.1.0)

Exploit Maturity

Attack Complexity

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 14 Jul 2020

How to fix?

Overview

References