From fb97d100b80c7a4beb0a01cae723cc1d5886cbcd Mon Sep 17 00:00:00 2001
From: PikPikcU <60111811+pikpikcu@users.noreply.github.com>
Date: Sat, 30 Jan 2021 00:28:31 +0000
Subject: [PATCH 1/3] Create CVE-2020-13937.yaml

---
 cves/2020/CVE-2020-13937.yaml | 40 +++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 cves/2020/CVE-2020-13937.yaml

diff --git a/cves/2020/CVE-2020-13937.yaml b/cves/2020/CVE-2020-13937.yaml
new file mode 100644
index 0000000000..cf254e4528
--- /dev/null
+++ b/cves/2020/CVE-2020-13937.yaml
@@ -0,0 +1,40 @@
+id: CVE-2020-13937
+
+info:
+  name: Apache Kylin Unauth
+  author: pikpikcu
+  severity: info
+  description:  |
+              Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
+              2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
+              2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
+              3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
+              Kylin's configuration information without any authentication,
+              so it is dangerous because some confidential information entries will be disclosed to everyone.
+
+  # References:
+  # https://s.tencent.com/research/bsafe/1156.html
+  # https://nvd.nist.gov/vuln/detail/CVE-2020-13937
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/kylin/api/admin/config"
+    headers:
+      Content-Type: application/json
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "application/json"
+        condition: and
+        part: header
+      - type: word
+        words:
+          - "config"
+        condition: and
+        part: body

From 1e78e2d130da3593f466b5fcbe9a4db2965affbb Mon Sep 17 00:00:00 2001
From: PD-Team <8293321+bauthard@users.noreply.github.com>
Date: Sat, 30 Jan 2021 11:27:56 +0530
Subject: [PATCH 2/3] Update CVE-2020-13937.yaml

---
 cves/2020/CVE-2020-13937.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cves/2020/CVE-2020-13937.yaml b/cves/2020/CVE-2020-13937.yaml
index cf254e4528..36012e3c51 100644
--- a/cves/2020/CVE-2020-13937.yaml
+++ b/cves/2020/CVE-2020-13937.yaml
@@ -4,7 +4,7 @@ info:
   name: Apache Kylin Unauth
   author: pikpikcu
   severity: info
-  description:  |
+  description: |
               Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
               2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
               2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,

From 8bd790f98d39e7f851799350e02f75b7a19358b9 Mon Sep 17 00:00:00 2001
From: PD-Team <8293321+bauthard@users.noreply.github.com>
Date: Sat, 30 Jan 2021 11:39:17 +0530
Subject: [PATCH 3/3] Update CVE-2020-13937.yaml

---
 cves/2020/CVE-2020-13937.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cves/2020/CVE-2020-13937.yaml b/cves/2020/CVE-2020-13937.yaml
index 36012e3c51..000a83e460 100644
--- a/cves/2020/CVE-2020-13937.yaml
+++ b/cves/2020/CVE-2020-13937.yaml
@@ -3,7 +3,7 @@ id: CVE-2020-13937
 info:
   name: Apache Kylin Unauth
   author: pikpikcu
-  severity: info
+  severity: medium
   description: |
               Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
               2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,