This is an automated email from the ASF dual-hosted git repository.
nic pushed a commit to branch document
in repository https://gitbox.apache.org/repos/asf/kylin.git
The following commit(s) were added to refs/heads/document by this push:
new 5ed64e1 Add security issue of CVE-2020-1956
5ed64e1 is described below
commit 5ed64e16129476e4502a1a2cf1b417ba359cfc40
Author: nichunen <n...@apache.org>
AuthorDate: Wed May 20 09:40:57 2020 +0800
Add security issue of CVE-2020-1956
---
website/_docs/security.md | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/website/_docs/security.md b/website/_docs/security.md
index 8dca57a..f905b3d 100644
--- a/website/_docs/security.md
+++ b/website/_docs/security.md
@@ -38,4 +38,39 @@ Users should upgrade to 3.0.1 or 2.6.5
__Credit__
-This issue was discovered by Jonathan Leitschuh
\ No newline at end of file
+This issue was discovered by Jonathan Leitschuh
+
+###
[CVE-2020-1956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1956)
Apache Kylin command injection vulnerability
+
+__Severity__
+
+
+Important
+
+__Vendor__
+
+The Apache Software Foundation
+
+__Versions Affected__
+
+Kylin 2.3.0 to 2.3.2
+
+Kylin 2.4.0 to 2.4.1
+
+Kylin 2.5.0 to 2.5.2
+
+Kylin 2.6.0 to 2.6.5
+
+Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0, Kylin
3.0.1
+
+__Description__
+
+Kylin has some restful api which will concat os command with the user input
string, a user is likely to be able to execute any os command without any
protection or validation.
+
+__Mitigation__
+
+Users should upgrade to 3.0.2 or 2.6.6 or set
kylin.tool.auto-migrate-cube.enabled to false to disable command execution.
+
+__Credit__
+
+This issue was discovered by Johannes Dahse
