Subject: [CVE-2020-1937] Apache Kylin SQL injection vulnerability


Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Kylin 2.3.0 to 2.3.2
Kylin 2.4.0 to 2.4.1
Kylin 2.5.0 to 2.5.2
Kylin 2.6.0 to 2.6.4
Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0

Description:
Kylin has some restful apis which will concatenate SQLs with the user input
string, a user is likely to be able to run malicious database queries.

Mitigation:
Users should upgrade to 3.0.1 or 2.6.5

Credit:
This issue was discovered by Jonathan Leitschuh

References:
https://kylin.apache.org/docs/security.html
---------------------

Best regards,

Ni Chunen / George