CVE-2021-27738

Name of the Vulnerable Software and Affected Versions Apache Kylin versions prior to 3.1.2

Description The issue is related to insufficient security checks in the StreamingCoordinatorController.java component, which handles /kylin/api/streaming coordinator/* REST API endpoints. This allows an unauthenticated user to issue arbitrary requests, such as assigning or unassigning streaming cubes, and creating, modifying, or deleting replica sets. For endpoints that accept node details in the HTTP message body, unauthenticated server-side request forgery (SSRF) can be achieved.

Recommendations For versions prior to 3.1.2, update to version 3.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the /kylin/api/streaming coordinator/* API endpoints to prevent unauthenticated requests. Avoid using the StreamingCoordinatorController.java component until the issue is resolved. Restrict access to endpoints that accept node details in the HTTP message body to minimize the risk of SSRF exploitation.