CVE-2020-13925: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

July 27, 2020 (updated September 22, 2021)

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.

References

github.com/advisories/GHSA-qwfw-gxx2-mmv2
nvd.nist.gov/vuln/detail/CVE-2020-13925

Detect and mitigate CVE-2020-13925 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →