You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by ni...@apache.org on 2020/02/23 06:18:23 UTC

[kylin] branch document updated: Add page for security

This is an automated email from the ASF dual-hosted git repository.

nic pushed a commit to branch document
in repository https://gitbox.apache.org/repos/asf/kylin.git


The following commit(s) were added to refs/heads/document by this push:
     new cdeba77  Add page for security
cdeba77 is described below

commit cdeba7784045d913199c93108162299b206905ea
Author: nichunen <ni...@apache.org>
AuthorDate: Sun Feb 23 14:17:58 2020 +0800

    Add page for security
---
 website/_data/docs.yml    |  6 +++++-
 website/_docs/security.md | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/website/_data/docs.yml b/website/_data/docs.yml
index 5c99520..88c0a4d 100644
--- a/website/_data/docs.yml
+++ b/website/_data/docs.yml
@@ -85,4 +85,8 @@
   - howto/howto_install_ranger_kylin_plugin
   - howto/howto_enable_zookeeper_acl
   - howto/howto_use_health_check_cli
-  - howto/howto_use_hive_mr_dict
\ No newline at end of file
+  - howto/howto_use_hive_mr_dict
+
+- title: Security
+  docs:
+    - security
\ No newline at end of file
diff --git a/website/_docs/security.md b/website/_docs/security.md
new file mode 100644
index 0000000..8dca57a
--- /dev/null
+++ b/website/_docs/security.md
@@ -0,0 +1,41 @@
+---
+layout: docs
+title:  Security Issues
+categories: docs
+permalink: /docs/security.html
+---
+
+### [CVE-2020-1937](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1937) Apache Kylin SQL injection vulnerability
+
+__Severity__
+
+Important
+
+__Vendor__
+
+The Apache Software Foundation
+
+
+__Versions Affected__
+
+Kylin 2.3.0 to 2.3.2
+
+Kylin 2.4.0 to 2.4.1
+
+Kylin 2.5.0 to 2.5.2
+
+Kylin 2.6.0 to 2.6.4
+
+Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0
+
+__Description__
+
+Kylin has some restful apis which will concat sqls with the user input string, a user is likely to be able to run malicious database queries.
+
+__Mitigation__
+
+Users should upgrade to 3.0.1 or 2.6.5
+
+__Credit__
+
+This issue was discovered by Jonathan Leitschuh
\ No newline at end of file