CVE-2020-13925
Description
Apache Kylin contains a command injection vulnerability in a REST API that concatenates user input into OS commands without validation, allowing remote attackers to execute arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Kylin contains a command injection vulnerability in a REST API that concatenates user input into OS commands without validation, allowing remote attackers to execute arbitrary commands.
Vulnerability
Overview
CVE-2020-13925 is a command injection vulnerability in Apache Kylin, similar to CVE-2020-1956. A REST API endpoint concatenates user-supplied input directly into operating system commands without proper validation or sanitization [1][2]. This flaw allows an attacker to inject arbitrary OS commands that are then executed on the server.
Exploitation
The vulnerable REST API is remotely accessible, requiring only network connectivity to the Kylin server. No authentication or special privileges are mentioned in the advisories, suggesting that the endpoint may be exposed without access controls [1][2]. An attacker can craft a malicious request containing OS command syntax, which the API blindly incorporates into a system command.
Impact
Successful exploitation enables remote code execution as the Kylin server process. An attacker can execute arbitrary commands, potentially leading to full compromise of the server, data exfiltration, or lateral movement within the network.
Mitigation
The Apache Kylin project has addressed this vulnerability in version 3.1.0. Users running any version after 2.3 are advised to upgrade immediately [1][2]. No workarounds are documented; upgrading is the recommended course of action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylin-server-baseMaven | < 3.1.0 | 3.1.0 |
Affected products
2- Kylin/Kylindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-qwfw-gxx2-mmv2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13925ghsaADVISORY
- lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf@%3Ccommits.kylin.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r250a867961cfd6e0506240a9c7eaee782d84c6ab0091c7c4bc45f3eb%40%3Cuser.kylin.apache.org%3Eghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGAPACHEKYLIN-584373ghsaWEB
News mentions
0No linked articles in our index yet.