Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.kylin/kylin@3.0.0
Typemaven
Namespaceorg.apache.kylin
Namekylin
Version3.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.1.3
Latest_non_vulnerable_version5.0.3
Affected_by_vulnerabilities
0
url VCID-8v1x-1x2n-vbhu
vulnerability_id VCID-8v1x-1x2n-vbhu
summary 
Inadequate Encryption Strength
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.
references
0
reference_url https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy
reference_id
reference_type
scores
url https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy
1
reference_url http://www.openwall.com/lists/oss-security/2022/01/06/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/01/06/3
2
reference_url http://www.openwall.com/lists/oss-security/2022/01/06/7
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/01/06/7
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-45458
reference_id CVE-2021-45458
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-45458
fixed_packages
0
url pkg:maven/org.apache.kylin/kylin@3.1.3
purl pkg:maven/org.apache.kylin/kylin@3.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.3
1
url pkg:maven/org.apache.kylin/kylin@4.0.1
purl pkg:maven/org.apache.kylin/kylin@4.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@4.0.1
aliases CVE-2021-45458
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8v1x-1x2n-vbhu
1
url VCID-cret-1sa1-8kd6
vulnerability_id VCID-cret-1sa1-8kd6
summary 
Server-Side Request Forgery (SSRF)
All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints does not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3
references
0
reference_url https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70
reference_id
reference_type
scores
url https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70
1
reference_url http://www.openwall.com/lists/oss-security/2022/01/06/6
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/01/06/6
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-27738
reference_id CVE-2021-27738
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-27738
fixed_packages
0
url pkg:maven/org.apache.kylin/kylin@3.1.2
purl pkg:maven/org.apache.kylin/kylin@3.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-sz6c-t8m7-z3dj
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.2
aliases CVE-2021-27738
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cret-1sa1-8kd6
2
url VCID-pjr6-y7uu-jqfd
vulnerability_id VCID-pjr6-y7uu-jqfd
summary 
Insufficiently Protected Credentials
In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.
references
0
reference_url https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m
reference_id
reference_type
scores
url https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m
1
reference_url http://www.openwall.com/lists/oss-security/2022/01/06/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/01/06/2
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-45457
reference_id CVE-2021-45457
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-45457
fixed_packages
0
url pkg:maven/org.apache.kylin/kylin@3.1.3
purl pkg:maven/org.apache.kylin/kylin@3.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.3
1
url pkg:maven/org.apache.kylin/kylin@4.0.1
purl pkg:maven/org.apache.kylin/kylin@4.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@4.0.1
aliases CVE-2021-45457
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pjr6-y7uu-jqfd
3
url VCID-sz6c-t8m7-z3dj
vulnerability_id VCID-sz6c-t8m7-z3dj
summary 
Exposure of Resource to Wrong Sphere
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions.
references
0
reference_url https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow
reference_id
reference_type
scores
url https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow
1
reference_url http://www.openwall.com/lists/oss-security/2022/01/06/5
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/01/06/5
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-36774
reference_id CVE-2021-36774
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-36774
fixed_packages
0
url pkg:maven/org.apache.kylin/kylin@3.1.3
purl pkg:maven/org.apache.kylin/kylin@3.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.3
aliases CVE-2021-36774
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sz6c-t8m7-z3dj
4
url VCID-x2j7-1kq5-e3ec
vulnerability_id VCID-x2j7-1kq5-e3ec
summary 
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.
references
0
reference_url https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
reference_id
reference_type
scores
url https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
1
reference_url http://www.openwall.com/lists/oss-security/2022/01/06/4
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/01/06/4
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-31522
reference_id CVE-2021-31522
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-31522
fixed_packages
0
url pkg:maven/org.apache.kylin/kylin@3.1.3
purl pkg:maven/org.apache.kylin/kylin@3.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.3
1
url pkg:maven/org.apache.kylin/kylin@4.0.1
purl pkg:maven/org.apache.kylin/kylin@4.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@4.0.1
aliases CVE-2021-31522
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x2j7-1kq5-e3ec
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.0.0