CVE-2020-1956
Published: 22 May 2020
Summary
CVE-2020-1956 is a high-severity OS Command Injection (CWE-78) vulnerability in Apache Kylin. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
Apache Kylin versions 2.3.0 through 2.6.5 and 3.0.1 contain a command injection vulnerability in multiple RESTful APIs. These endpoints concatenate operating system commands directly with unsanitized user input strings, enabling arbitrary command execution without validation or protection, as classified under CWE-78.
An authenticated attacker with network access and low privileges can supply crafted input to the affected APIs and execute any operating system command on the server. This grants full control over confidentiality, integrity, and availability of the host system, consistent with the CVSS 3.1 base score of 8.8.
Public advisories and patch information have been distributed via Apache Kylin commit and user mailing lists as well as related security forums referenced in the CVE record. No details on observed real-world exploitation are provided in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-0557
Vulnerability details
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or…
more
validation.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input to REST APIs before any OS command concatenation, blocking the unsanitized string injection described in the CVE.
Enforces least functionality by disabling or restricting shell interpreters and OS command execution paths that the vulnerable Kylin APIs rely on.
Limits the privileges of the low-privileged authenticated accounts that can reach the affected REST endpoints, reducing the impact of successful command injection to the host OS.