QwikSec

Security Database

CVE

CWE

Training

CVE-2021-45458

Published: Jan 6, 2022

Modified: Aug 4, 2024

PUBLISHED

Description

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Vendor	Product	Versions
Apache Software Foundation	Apache Kylin	affected `Apache Kylin 2 - <= 2.6.6` affected `Apache Kylin 3 - <= 3.1.2` affected `Apache Kylin 4 - <= 4.0.0`

Weaknesses (CWE)

References

https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy

x_refsource_MISC

[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials

mailing-list

x_refsource_MLIST

[oss-security] 20220106 CVE-2021-45458: Apache Kylin: Hardcoded credentials

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.