[kylin] branch document updated: Add new security issue in Kylin 3.1.0

xxyu Wed, 15 Jul 2020 01:14:20 -0700

This is an automated email from the ASF dual-hosted git repository.

xxyu pushed a commit to branch document
in repository https://gitbox.apache.org/repos/asf/kylin.git



The following commit(s) were added to refs/heads/document by this push:
     new da4f13b  Add new security issue in Kylin 3.1.0
da4f13b is described below

commit da4f13bdda66539d6ef4bf4bca619dc763b49604
Author: xxyu <x...@apache.org>
AuthorDate: Wed Jul 15 16:13:45 2020 +0800

    Add new security issue in Kylin 3.1.0
    
    CVE-2020-13925,CVE-2020-13926
---
 website/_docs/security.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/website/_docs/security.md b/website/_docs/security.md
index 2a87c9a..56b77f2 100644
--- a/website/_docs/security.md
+++ b/website/_docs/security.md
@@ -5,6 +5,59 @@ categories: docs
 permalink: /docs/security.html
 ---
 
+### 
[CVE-2020-13926](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13926)
+
+__Severity__
+
+Important
+
+__Vendor__
+
+The Apache Software Foundation
+
+__Versions Affected__
+
+Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 
2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 
3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2
+
+__Description__
+
+Kylin concatenates and executes some Hive SQL statements in Hive CLI or 
beeline when building new segments; some parts of the SQL are from system 
configurations, while the configuration can be overwritten by certain rest API, 
which make SQL injection attack is possible.
+
+__Mitigation__
+
+Users of all previous versions after 2.0 should upgrade to 3.1.0.
+
+__Credit__
+
+We would like to thank Rupeng Wang from Kyligence for reporting and fix this 
issue.
+
+
+### 
[CVE-2020-13925](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13925)
+
+__Severity__
+
+Important
+
+__Vendor__
+
+The Apache Software Foundation
+
+__Versions Affected__
+
+Kylin 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 
2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 
3.0.0, 3.0.1 3.0.2
+
+__Description__
+
+Similar to CVE-2020-1956, Kylin has one more restful API which concatenates 
the API inputs into OS commands and then executes them on the server; while the 
reported API misses necessary input validation, which causes the hackers have 
the possibility to execute OS command remotely.
+
+__Mitigation__
+
+Users of all previous versions after 2.3 should upgrade to 3.1.0.
+
+__Credit__
+
+We would like to thank Clancey <clanc...@protonmail.com> for reporting this 
issue.
+
 
 ### 
[CVE-2020-1937](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1937) 
Apache Kylin SQL injection vulnerability

[kylin] branch document updated: Add new security issue in Kylin 3.1.0

Reply via email to