PT-2024-12192 · Apache · Apache Kylin
Li Jiakun
·
Published
2024-01-29
·
Updated
2024-02-02
·
CVE-2023-29055
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Kylin versions 2.0.0 through 4.0.3
Description
The issue concerns the Server Config web interface in Apache Kylin, which displays the content of the
kylin.properties file. This file may contain server-side credentials. When the Kylin service runs over HTTP or other plain text protocols, it is possible for network sniffers to hijack the HTTP payload and access the content of kylin.properties, potentially obtaining the contained credentials.Recommendations
- For versions 2.0.0 through 4.0.3, always turn on HTTPS to encrypt the network payload.
- For versions 2.0.0 through 4.0.3, avoid putting credentials in
kylin.properties, or at least not in plain text. - For versions 2.0.0 through 4.0.3, use network firewalls to protect the server-side, making it inaccessible to external attackers.
- Upgrade to version Apache Kylin 4.0.4, which filters out sensitive content that goes to the Server Config web interface.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Kylin