This is an automated email from the ASF dual-hosted git repository. nic pushed a commit to branch document in repository https://gitbox.apache.org/repos/asf/kylin.git
The following commit(s) were added to refs/heads/document by this push: new cdeba77 Add page for security cdeba77 is described below commit cdeba7784045d913199c93108162299b206905ea Author: nichunen <n...@apache.org> AuthorDate: Sun Feb 23 14:17:58 2020 +0800 Add page for security --- website/_data/docs.yml | 6 +++++- website/_docs/security.md | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/website/_data/docs.yml b/website/_data/docs.yml index 5c99520..88c0a4d 100644 --- a/website/_data/docs.yml +++ b/website/_data/docs.yml @@ -85,4 +85,8 @@ - howto/howto_install_ranger_kylin_plugin - howto/howto_enable_zookeeper_acl - howto/howto_use_health_check_cli - - howto/howto_use_hive_mr_dict \ No newline at end of file + - howto/howto_use_hive_mr_dict + +- title: Security + docs: + - security \ No newline at end of file diff --git a/website/_docs/security.md b/website/_docs/security.md new file mode 100644 index 0000000..8dca57a --- /dev/null +++ b/website/_docs/security.md @@ -0,0 +1,41 @@ +--- +layout: docs +title: Security Issues +categories: docs +permalink: /docs/security.html +--- + +### [CVE-2020-1937](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1937) Apache Kylin SQL injection vulnerability + +__Severity__ + +Important + +__Vendor__ + +The Apache Software Foundation + + +__Versions Affected__ + +Kylin 2.3.0 to 2.3.2 + +Kylin 2.4.0 to 2.4.1 + +Kylin 2.5.0 to 2.5.2 + +Kylin 2.6.0 to 2.6.4 + +Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0 + +__Description__ + +Kylin has some restful apis which will concat sqls with the user input string, a user is likely to be able to run malicious database queries. + +__Mitigation__ + +Users should upgrade to 3.0.1 or 2.6.5 + +__Credit__ + +This issue was discovered by Jonathan Leitschuh \ No newline at end of file