SQL Injection Affecting org.apache.kylin:kylin-server package, versions [2.0.0, 3.1.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
3.11% (87th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHEKYLIN-584374
  • published14 Jul 2020
  • disclosed14 Jul 2020
  • creditRupeng Wang

Introduced: 14 Jul 2020

CVE-2020-13926  (opens in a new tab)
CWE-89  (opens in a new tab)

How to fix?

Upgrade org.apache.kylin:kylin-server to version 3.1.0 or higher.

Overview

org.apache.kylin:kylin-server is an analytics Engine, contributed by eBay Inc., provides SQL interface and multi-dimensional analysis (OLAP) on Hadoop supporting extremely large datasets.

Affected versions of this package are vulnerable to SQL Injection. It concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible.

CVSS Base Scores

version 3.1