CVE-2021-45458: Hardcoded credentials
First published: Thu Jan 06 2022(Updated: )
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.kylin:kylin | =4.0.0 | 4.0.1 |
| maven/org.apache.kylin:kylin | <3.1.3 | 3.1.3 |
| Apache Kylin | >=2.0.0<=2.6.6 | |
| Apache Kylin | >=3.0.0<3.1.3 | |
| Apache Kylin | =4.0.0 | |
| Apache Kylin | =4.0.0-alpha | |
| Apache Kylin | =4.0.0-beta | |
| >=2.0.0<=2.6.6 | ||
| >=3.0.0<3.1.3 | ||
| =4.0.0 | ||
| =4.0.0-alpha | ||
| =4.0.0-beta |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-45458
- https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy
- http://www.openwall.com/lists/oss-security/2022/01/06/3
- http://www.openwall.com/lists/oss-security/2022/01/06/7
- https://github.com/apache/kylin/pull/1781
- https://github.com/apache/kylin/pull/1782
- https://github.com/advisories/GHSA-9fj5-jg6f-qg5r (Advisory)
Frequently Asked Questions
What is CVE-2021-45458?
CVE-2021-45458 is a vulnerability in Apache Kylin that allows users' encrypted passwords to be easily decrypted.
How does Apache Kylin encryption class PasswordPlaceholderConfigurer work?
Apache Kylin encryption class PasswordPlaceholderConfigurer helps users encrypt their passwords.
What is the severity of CVE-2021-45458?
The severity of CVE-2021-45458 is high, with a CVSS score of 7.5.
Which versions of Apache Kylin are affected by CVE-2021-45458?
The versions affected by CVE-2021-45458 range from 2.0.0 to 2.6.6, 3.0.0 to 3.1.3, 4.0.0-alpha, 4.0.0-beta, and 4.0.0.
How can I fix CVE-2021-45458?
To fix CVE-2021-45458, users should update to version 4.0.1 for Apache Kylin or version 3.1.3 for the maven package org.apache.kylin:kylin.
- collector/github-advisory-latest
- alias/GHSA-9fj5-jg6f-qg5r
- alias/CVE-2021-45458
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/type
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/tags
- agent/trending
- package-manager/maven
- vendor/apache
- canonical/apache kylin
- version/apache kylin/2.0.0
- version/apache kylin/2.6.6
- version/apache kylin/3.0.0
- version/apache kylin/4.0.0
- version/apache kylin/4.0.0-alpha
- version/apache kylin/4.0.0-beta