What is CVE-2020-1956?

CVE-2020-1956 is a vulnerability in Apache Kylin. Published 2020-05-22.

Is CVE-2020-1956 known to be exploited?

Yes. CVE-2020-1956 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-03-25), indicating it is being actively exploited. 22 public proof-of-concept repositories are indexed.

Vulnerability in Apache Kylin

CVE-2020-1956

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

EPSS: 0.937 (99.9th percentile) — read the EPSS interpretation.

Affected products

Apache Kylin — versions 2.3.0, <=2.6.5, <=3.0.1

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-03-25. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-04-15.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

lists.apache.org/thread.html/r1332ef34cf8e2c0589cf44ad269fb1fb4c06addec6297f032… (x_refsource_MISC)
community.sonarsource.com/t/apache-kylin-3-0-1-command-injection-vulnerability/… (x_refsource_MISC)
[kylin-user] 20200713 [SECURITY][CVE-2020-13925] Apache Kylin command injection vulnerability (mailing-list, x_refsource_MLIST)
[kylin-dev] 20200713 [SECURITY][CVE-2020-13925] Apache Kylin command injection vulnerability (mailing-list, x_refsource_MLIST)
[kylin-commits] 20200713 svn commit: r1879845 - in /kylin/site: docs/security.html feed.xml (mailing-list, x_refsource_MLIST)
[announce] 20200713 [SECURITY][CVE-2020-13925] Apache Kylin command injection vulnerability (mailing-list, x_refsource_MLIST)
[oss-security] 20200714 [SECURITY][CVE-2020-13925] Apache Kylin command injection vulnerability (mailing-list, x_refsource_MLIST)
[kylin-commits] 20200715 svn commit: r1879879 - in /kylin/site: docs/security.html feed.xml (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2020-1956?: CVE-2020-1956 is a vulnerability in Apache Kylin. Published 2020-05-22.
Is CVE-2020-1956 known to be exploited?: Yes. CVE-2020-1956 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-03-25), indicating it is being actively exploited. 22 public proof-of-concept repositories are indexed.