{"url":"http://public2.vulnerablecode.io/api/packages/59997?format=json","purl":"pkg:maven/org.apache.kylin/kylin@3.0.0","type":"maven","namespace":"org.apache.kylin","name":"kylin","version":"3.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.1.3","latest_non_vulnerable_version":"5.0.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41975?format=json","vulnerability_id":"VCID-8v1x-1x2n-vbhu","summary":"Inadequate Encryption Strength\nApache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.","references":[{"reference_url":"https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/01/06/3","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2022/01/06/3"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/01/06/7","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2022/01/06/7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45458","reference_id":"CVE-2021-45458","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45458"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59999?format=json","purl":"pkg:maven/org.apache.kylin/kylin@3.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/60000?format=json","purl":"pkg:maven/org.apache.kylin/kylin@4.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@4.0.1"}],"aliases":["CVE-2021-45458"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8v1x-1x2n-vbhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41984?format=json","vulnerability_id":"VCID-cret-1sa1-8kd6","summary":"Server-Side Request Forgery (SSRF)\nAll request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints does not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3","references":[{"reference_url":"https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/01/06/6","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2022/01/06/6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27738","reference_id":"CVE-2021-27738","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27738"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60026?format=json","purl":"pkg:maven/org.apache.kylin/kylin@3.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-sz6c-t8m7-z3dj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.2"}],"aliases":["CVE-2021-27738"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cret-1sa1-8kd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41972?format=json","vulnerability_id":"VCID-pjr6-y7uu-jqfd","summary":"Insufficiently Protected Credentials\nIn Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.","references":[{"reference_url":"https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/01/06/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2022/01/06/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45457","reference_id":"CVE-2021-45457","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45457"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59999?format=json","purl":"pkg:maven/org.apache.kylin/kylin@3.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/60000?format=json","purl":"pkg:maven/org.apache.kylin/kylin@4.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@4.0.1"}],"aliases":["CVE-2021-45457"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pjr6-y7uu-jqfd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41998?format=json","vulnerability_id":"VCID-sz6c-t8m7-z3dj","summary":"Exposure of Resource to Wrong Sphere\nApache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions.","references":[{"reference_url":"https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/01/06/5","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2022/01/06/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36774","reference_id":"CVE-2021-36774","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36774"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59999?format=json","purl":"pkg:maven/org.apache.kylin/kylin@3.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.3"}],"aliases":["CVE-2021-36774"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sz6c-t8m7-z3dj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41986?format=json","vulnerability_id":"VCID-x2j7-1kq5-e3ec","summary":"Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')\nKylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 and prior versions; Apache Kylin 3 and prior versions; Apache Kylin 4 and prior versions.","references":[{"reference_url":"https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/01/06/4","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2022/01/06/4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31522","reference_id":"CVE-2021-31522","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31522"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59999?format=json","purl":"pkg:maven/org.apache.kylin/kylin@3.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/60000?format=json","purl":"pkg:maven/org.apache.kylin/kylin@4.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@4.0.1"}],"aliases":["CVE-2021-31522"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x2j7-1kq5-e3ec"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.kylin/kylin@3.0.0"}