CVE-2020-13926 – org.apache.kylin:kylin-server-base

Package

Manager: maven
Name: org.apache.kylin:kylin-server-base
Vulnerable Version: >=0 <3.1.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03106 pctl0.86301

Details

SQL Injection in Kylin Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.

Metadata

Created: 2020-07-27T22:51:40Z
Modified: 2021-09-22T21:51:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-hx5g-8hq2-8x4w/GHSA-hx5g-8hq2-8x4w.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-hx5g-8hq2-8x4w
Finding: F297
Auto approve: 1