CVE-2021-45458Hard-coded Credentials in Apache Kylin

CWE-798Hard-coded CredentialsCWE-330Use of Insufficiently Random ValuesCWE-326Inadequate Encryption Strength4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 29.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache KylinApache Software Foundation Apache Kylin
Timeline
PublishedJan 6
Latest updateJan 8

Description

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 an

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/kylin3.0.03.1.3+2
CVEListV5apache_software_foundation/apache_kylinApache Kylin 22.6.6+2

🔴Vulnerability Details

3
OSV
Use of Hard-coded Credentials in Apache Kylin2022-01-08
GHSA
Use of Hard-coded Credentials in Apache Kylin2022-01-08
CVEList
Hardcoded credentials2022-01-06
CVE-2021-45458 — Hard-coded Credentials in Apache Kylin | cvebase