Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05Zmo1LWpnNmYtcWc1cs0hGA

Use of Hard-coded Credentials in Apache Kylin

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Permalink: https://github.com/advisories/GHSA-9fj5-jg6f-qg5r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Zmo1LWpnNmYtcWc1cs0hGA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 8 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-9fj5-jg6f-qg5r, CVE-2021-45458
References: Repository: https://github.com/apache/kylin

Affected Packages

maven:org.apache.kylin:kylin
Dependent packages: 2
Dependent repositories: 1
Downloads:
Affected Version Ranges: = 4.0.0, < 3.1.3
Fixed in: 4.0.1, 3.1.3
All affected versions: 1.3.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 4.0.0
All unaffected versions: 3.1.3, 4.0.1, 4.0.2, 4.0.3, 4.0.4