This is an automated email from the ASF dual-hosted git repository. nic pushed a commit to branch document in repository https://gitbox.apache.org/repos/asf/kylin.git
The following commit(s) were added to refs/heads/document by this push: new 5ed64e1 Add security issue of CVE-2020-1956 5ed64e1 is described below commit 5ed64e16129476e4502a1a2cf1b417ba359cfc40 Author: nichunen <n...@apache.org> AuthorDate: Wed May 20 09:40:57 2020 +0800 Add security issue of CVE-2020-1956 --- website/_docs/security.md | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/website/_docs/security.md b/website/_docs/security.md index 8dca57a..f905b3d 100644 --- a/website/_docs/security.md +++ b/website/_docs/security.md @@ -38,4 +38,39 @@ Users should upgrade to 3.0.1 or 2.6.5 __Credit__ -This issue was discovered by Jonathan Leitschuh \ No newline at end of file +This issue was discovered by Jonathan Leitschuh + +### [CVE-2020-1956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1956) Apache Kylin command injection vulnerability + +__Severity__ + + +Important + +__Vendor__ + +The Apache Software Foundation + +__Versions Affected__ + +Kylin 2.3.0 to 2.3.2 + +Kylin 2.4.0 to 2.4.1 + +Kylin 2.5.0 to 2.5.2 + +Kylin 2.6.0 to 2.6.5 + +Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0, Kylin 3.0.1 + +__Description__ + +Kylin has some restful api which will concat os command with the user input string, a user is likely to be able to execute any os command without any protection or validation. + +__Mitigation__ + +Users should upgrade to 3.0.2 or 2.6.6 or set kylin.tool.auto-migrate-cube.enabled to false to disable command execution. + +__Credit__ + +This issue was discovered by Johannes Dahse