Search for packages
| purl | pkg:maven/org.apache.kylin/kylin@3.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3tdp-fpt7-mycx
Aliases: CVE-2020-1937 GHSA-7hmh-8gwv-mfvq |
SQL Injection Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries. |
Affected by 1 other vulnerability. |
|
VCID-8ssr-ftym-kubw
Aliases: CVE-2020-1956 GHSA-gprm-xqrc-c2j3 |
OS Command Injection Apache Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation. |
Affected by 1 other vulnerability. |
|
VCID-8v1x-1x2n-vbhu
Aliases: CVE-2021-45458 GHSA-9fj5-jg6f-qg5r |
Inadequate Encryption Strength Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8ye7-t531-b7hw
Aliases: CVE-2020-13937 GHSA-2hpg-vwqj-6h6w |
Insecure Storage of Sensitive Information Apache Kylin has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-cret-1sa1-8kd6
Aliases: CVE-2021-27738 GHSA-wrx7-qgmj-mf2q |
Server-Side Request Forgery (SSRF) All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints does not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-pjr6-y7uu-jqfd
Aliases: CVE-2021-45457 GHSA-mgpf-hhgf-cxg4 |
Insufficiently Protected Credentials In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-sz6c-t8m7-z3dj
Aliases: CVE-2021-36774 GHSA-5429-pjww-7675 |
Exposure of Resource to Wrong Sphere Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions. |
Affected by 0 other vulnerabilities. |
|
VCID-x2j7-1kq5-e3ec
Aliases: CVE-2021-31522 GHSA-q656-g2x3-8cgh |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||