CVE-2020-13925: OS Command Injection
First published: Tue Jul 14 2020(Updated: )
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Kylin | >=2.3.0<3.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf@%3Ccommits.kylin.apache.org%3E
- https://lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cuser.kylin.apache.org%3E
- https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E
Frequently Asked Questions
What is CVE-2020-13925?
CVE-2020-13925 is a vulnerability in Apache Kylin that allows remote execution of OS commands.
How severe is CVE-2020-13925?
CVE-2020-13925 has a severity rating of 9.8 (critical).
What software versions are affected by CVE-2020-13925?
Versions between 2.3.0 and 3.1.0 of Apache Kylin are affected by CVE-2020-13925.
What is the CWE ID for CVE-2020-13925?
The CWE IDs for CVE-2020-13925 are 20 and 78.
How can I fix CVE-2020-13925?
To fix CVE-2020-13925, users should update Apache Kylin to a version higher than 3.1.0.
- collector/nvd-index
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- agent/source
- vendor/apache
- canonical/apache kylin
- version/apache kylin/2.3.0