PT-2020-4073 · Apache · Apache Kylin

Published

2020-05-22

Updated

2025-10-23

CVE-2020-1956

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Apache Kylin versions 2.3.0 through 2.6.5 Apache Kylin version 3.0.1

Description: The issue is related to the RESTful APIs in Apache Kylin, which concatenate OS commands with user input strings without proper protection or validation, allowing a user to potentially execute any OS command. This could enable a remote attacker to execute arbitrary commands.

Recommendations: For Apache Kylin versions 2.3.0 through 2.6.5, consider disabling the vulnerable RESTful APIs until a patch is available. For Apache Kylin version 3.0.1, restrict access to the affected APIs to minimize the risk of exploitation. As a temporary workaround, avoid using user input strings in the affected API endpoints until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2020-04473

CVE-2020-1956

GHSA-GPRM-XQRC-C2J3

Affected Products

Apache Kylin

PT-2020-4073 · Apache · Apache Kylin

CVE-2020-1956

Weakness Enumeration

Related Identifiers

Affected Products

References · 30