Moderate severityNVD Advisory· Published Oct 19, 2020· Updated Aug 4, 2024

CVE-2020-13937

Description

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Kylin's unauthenticated REST API exposes sensitive configuration information, allowing remote attackers to obtain confidential data.

The vulnerability is an information disclosure flaw in Apache Kylin's REST API. Specifically, a RESTful endpoint exposes the application's configuration information without requiring any authentication, allowing any remote attacker to access sensitive configuration entries [1].

Exploitation requires no authentication or special privileges. An attacker can simply send a request to the vulnerable API endpoint over the network, making the attack surface broad as the endpoint is accessible to anyone who can reach the Kylin server [1].

The impact is the disclosure of confidential configuration information, which may include database credentials, encryption keys, or other sensitive settings that could be leveraged for further attacks. The exposure of such data can lead to a complete compromise of the Kylin instance and associated systems [1].

The vulnerability affects a wide range of Apache Kylin versions from 2.0.0 through 4.0.0-alpha. Users should upgrade to a patched version as soon as possible; no workarounds are mentioned in the available reference [1].

References

NVD - CVE-2020-13937

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.kylin:kylinMaven	< 3.1.1	3.1.1
org.apache.kylin:kylinMaven	>= 4.0.0-alpha, < 4.0.0-beta	4.0.0-beta

Affected products

Apache/Kylindescription
ghsa-coords
pkg:maven/org.apache.kylin/kylin
Range: < 3.1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-2hpg-vwqj-6h6wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-13937ghsaADVISORY
lists.apache.org/thread.html/rc592e0dcee5a2615f1d9522af30ef1822c1f863d5e05e7da9d1e57f4%40%3Cuser.kylin.apache.org%3Eghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.075
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000