CVE-2021-45458

Name of the Vulnerable Software and Affected Versions Apache Kylin versions 2.6.6 and prior Apache Kylin versions 3.1.2 and prior Apache Kylin versions 4.0.0 and prior

Description Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted.

Recommendations For Apache Kylin 2 versions 2.6.6 and prior, consider disabling the PasswordPlaceholderConfigurer class until a patch is available. For Apache Kylin 3 versions 3.1.2 and prior, consider disabling the PasswordPlaceholderConfigurer class until a patch is available. For Apache Kylin 4 versions 4.0.0 and prior, consider disabling the PasswordPlaceholderConfigurer class until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.