CVE-2020-1956

8.8

CVSS
High

PUBLISHED

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user...

Exploited in the wild Remote Low complexity No user interaction

Vendor: Apache
Product: Kylin
Published: May 22, 2020
EPSS: —

Description

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

apache cisa nuclei_scanner

CVSS scores

CVSS v3.1 8.8 High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 9.0

AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitation status

Exploited in the wild

Recorded 2022-03-25 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: No
Technical impact: total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Mar 25, 2022

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-1956.yaml	Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

b510/CVE-2020-1956

github · Created 2021-07-08 00:58:07 UTC · 0 stars

CVE-2020-1956

Vulnerability detail

CVE-2020-1956

Description

CVSS scores

Exploitation status

SSVC decision points

References

Known exploited vulnerability sources

Scanner integrations

Potential proof of concepts

Timeline