9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
Low
0.974 High
EPSS
Percentile
99.9%
The instance of Apache Kylin running on the remote host is 2.3.x prior to 2.3.3, 2.4.x prior to 2.4.2, 2.5.x prior to 2.5.3, 2.6.x prior to 2.6.6 or 3.x prior to 3.0.2. Therefore, it is affected by a command injection vulnerability due to some restful APIs concatenating OS commands with user input strings. An authenticated, remote attacker with the MANAGEMENT or ADMIN permissions on any project can inject arbitrary system commands during Cube migration via the Kylin web interface.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(186352);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/28");
script_cve_id("CVE-2020-1956");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");
script_name(english:"Apache Kylin 2.3.x < 2.3.3 / 2.4.x < 2.4.2 / 2.5.x < 2.5.3 / 2.6.x < 2.6.6 / 3.x < 3.0.2 Command Injection (CVE-2020-1956)");
script_set_attribute(attribute:"synopsis", value:
"The application running on the remote host is affected by a command injection vulnerability.");
script_set_attribute(attribute:"description", value:
"The instance of Apache Kylin running on the remote host is 2.3.x prior to 2.3.3, 2.4.x prior to 2.4.2, 2.5.x prior to
2.5.3, 2.6.x prior to 2.6.6 or 3.x prior to 3.0.2. Therefore, it is affected by a command injection vulnerability due to
some restful APIs concatenating OS commands with user input strings. An authenticated, remote attacker with the
MANAGEMENT or ADMIN permissions on any project can inject arbitrary system commands during Cube migration via the Kylin
web interface.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported
version number.");
# https://community.sonarsource.com/t/tech-story-apache-kylin-3-0-1-command-injection-vulnerability/25706
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3b0bbbae");
script_set_attribute(attribute:"see_also", value:"https://kylin.apache.org/docs/security.html");
script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2020-1956");
script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Kylin version 2.6.6, 3.0.2 or later or set kylin.tool.auto-migrate-cube.enabled to false.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1956");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/20");
script_set_attribute(attribute:"patch_publication_date", value:"2020/05/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/28");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:kylin");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("apache_kylin_web_detect.nbin");
script_require_keys("installed_sw/Apache Kylin", "Settings/ParanoidReport");
exit(0);
}
include('vcf.inc');
var app = 'Apache Kylin';
var app_info = vcf::combined_get_app_info(app:app);
# config check: kylin.tool.auto-migrate-cube.enabled
if (report_paranoia < 2)
audit(AUDIT_PARANOID);
var constraints = [
{'min_version': '2.3.0', 'fixed_version': '2.6.6'},
{'min_version': '3.0.0-alpha', 'fixed_version': '3.0.2'}
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
Low
0.974 High
EPSS
Percentile
99.9%