Remote Command Execution in Apache Kylin Due to Input Validation Flaw
CVE-2020-13925

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Kylin
Vendor: CVE Published:; 14 July 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A security vulnerability in Apache Kylin allows an attacker to execute arbitrary OS commands on the server. This issue arises from a RESTful API that inadequately validates input, leading to potential exploitation. Users of Kylin from version 2.3 to prior than 3.1.0 are urged to upgrade to the latest version to mitigate risks associated with this vulnerability.

Affected Version(s)

Apache Kylin Apache Kylin 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-13925
Created by bit4woo

References

https://lists.apache.org/thread.html/r250a867961cfd6e0506...

x_refsource_MISC

https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 20, 2020
👾
Exploit known to exist
Jul 20, 2020
Vulnerability published
Jul 14, 2020
Vulnerability Reserved
Jun 8, 2020