QID 730430
Date Published: 2022-04-08
QID 730430: Apache Kylin Command Injection Vulnerability
Apache Kylin is an open-source distributed Analytical Data Warehouse from Apache Software Foundation (ASF). It is designed to provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop/Spark to support extremely large datasets.
CVE-2020-1956: Some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
Affected Versions:
Apache Kylin versions from 2.3.0 to 2.3.2
Apache Kylin versions from 2.4.0 to 2.4.1
Apache Kylin versions from 2.5.0 to 2.5.2
Apache Kylin versions from 2.6.0 to 2.6.5
Apache Kylin versions 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1
QID Detection Logic (Unauthenticated):
The QID checks for vulnerable versions of Apache Kylin by sending a GET request to "/kylin/api/admin/version" endpoint.
Successful exploitation of this vulnerability may allow an authenticated remote attacker to execute arbitrary commands on the affected targets.
Customers are advised to upgrade to Apache Kylin 3.0.2 or 2.6.6 or later. For further information please refer to Apache Kylin Security Advisory.Workaround:
Set "kylin.tool.auto-migrate-cube.enabled" to false to disable command execution.
- Apache Kylin Security Advisory -
lists.apache.org/thread/npo8mtv0qkbfdfz8yg9vhl2lg959q1zy
CVEs related to QID 730430
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Apache Kylin Security Advisory |
lists.apache.org/thread/npo8mtv0qkbfdfz8yg9vhl2lg959q1zy |