Command Injection in Kylin
High severity
GitHub Reviewed
Published
Jul 27, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Package
Affected versions
< 2.6.6
>= 3.0.0, < 3.0.2
Patched versions
2.6.6
3.0.2
Description
Reviewed
Jul 27, 2020
Published to the GitHub Advisory Database
Jul 27, 2020
Last updated
Jan 9, 2023
Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
References