Cyber Resilience

CVE-2020-1956

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 22 May 2020

Published
22 May 2020
Modified
23 October 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9411 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-1956 is a high-severity OS Command Injection (CWE-78) vulnerability in Apache Kylin. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

Apache Kylin versions 2.3.0 through 2.6.5 and 3.0.1 contain a command injection vulnerability in multiple RESTful APIs. These endpoints concatenate operating system commands directly with unsanitized user input strings, enabling arbitrary command execution without validation or protection, as classified under CWE-78.

An authenticated attacker with network access and low privileges can supply crafted input to the affected APIs and execute any operating system command on the server. This grants full control over confidentiality, integrity, and availability of the host system, consistent with the CVSS 3.1 base score of 8.8.

Public advisories and patch information have been distributed via Apache Kylin commit and user mailing lists as well as related security forums referenced in the CVE record. No details on observed real-world exploitation are provided in the available information.

EU & UK References

Vulnerability details

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or…

more

validation.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
kylin
2.4.0, 2.4.1, 3.0.0, 3.0.1 · 2.3.0 — 2.3.2 · 2.5.0 — 2.5.2 · 2.6.0 — 2.6.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input to REST APIs before any OS command concatenation, blocking the unsanitized string injection described in the CVE.

prevent

Enforces least functionality by disabling or restricting shell interpreters and OS command execution paths that the vulnerable Kylin APIs rely on.

prevent

Limits the privileges of the low-privileged authenticated accounts that can reach the affected REST endpoints, reducing the impact of successful command injection to the host OS.

References