CVE-2020-13926
CRITICALApache Kylin 2.0.0-3.0.9 - SQL Injection via REST API Configuration Overwrite
Title source: llmDescription
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.
References (2)
Core 2
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r63d5663169e866d44ff9250796193337cff7d9cf61cc3839e86163fd%40%3Cuser.kylin.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3E
Scores
CVSS v3
9.8
EPSS
0.0311
EPSS Percentile
87.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (2)
apache/kylin
2.0.0 - 3.1.0
org.apache.kylin/kylin-server-base
0 - 3.1.0Maven
Published
Jul 14, 2020
Tracked Since
Feb 18, 2026