CVE-2021-45458 – org.apache.kylin:kylin

Package

Manager: maven
Name: org.apache.kylin:kylin
Vulnerable Version: >=0 <3.1.3 || =4.0.0 || >=4.0.0 <4.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00649 pctl0.69909

Details

Use of Hard-coded Credentials in Apache Kylin Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Metadata

Created: 2022-01-08T00:43:09Z
Modified: 2023-07-21T19:24:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-9fj5-jg6f-qg5r/GHSA-9fj5-jg6f-qg5r.json
CWE IDs: ["CWE-326", "CWE-330", "CWE-798"]
Alternative ID: GHSA-9fj5-jg6f-qg5r
Finding: F052
Auto approve: 1