CVE-2020-13925

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Kylin
Vendor: CVE Published:; 14 July 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.

Affected Version(s)

Apache Kylin Apache Kylin 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-13925
Created by bit4woo

References

https://lists.apache.org/thread.html/r250a867961cfd6e0506...

x_refsource_MISC

https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 20, 2020
👾
Exploit known to exist
Jul 20, 2020
Vulnerability published
Jul 14, 2020
Vulnerability Reserved
Jun 8, 2020