CVE-2020-13926

{"id": "CVE-2020-13926", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-07-14T13:15:11.517", "references": [{"url": "https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r63d5663169e866d44ff9250796193337cff7d9cf61cc3839e86163fd%40%3Cuser.kylin.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r63d5663169e866d44ff9250796193337cff7d9cf61cc3839e86163fd%40%3Cuser.kylin.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0."}, {"lang": "es", "value": "Kylin concatena y ejecuta un Hive SQL en Hive CLI o en l\u00ednea recta cuando se construye un nuevo segmento; alguna parte de la HQL proviene de las configuraciones del sistema, mientras que la configuraci\u00f3n puede ser sobrescrita con determinada API rest, lo que hace posible el ataque de inyecci\u00f3n SQL. Los usuarios de todas las versiones anteriores despu\u00e9s de 2.0 deben actualizar a la versi\u00f3n 3.1.0"}], "lastModified": "2024-11-21T05:02:09.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EAB24F64-EAD4-4DD1-92C1-32FE5F2F3E18", "versionEndExcluding": "3.1.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}