CVE-2020-1956: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

July 27, 2020 (updated September 22, 2021)

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

References

github.com/advisories/GHSA-gprm-xqrc-c2j3
github.com/apache/kylin/commit/58fad56ac6aaa43c6bd8f962d7f2d84438664092
nvd.nist.gov/vuln/detail/CVE-2020-1956

Detect and mitigate CVE-2020-1956 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →