References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Known Affected Software Configurations Switch to CPE 2.2

Change History

OR
     *cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:* versions from (including) 2.0.0 up to (excluding) 4.0.4

NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

http://www.openwall.com/lists/oss-security/2024/01/29/1 No Types Assigned

http://www.openwall.com/lists/oss-security/2024/01/29/1 Mailing List

https://lists.apache.org/thread/o1bvyv9wnfkx7dxpfjlor20nykgsoh6r No Types Assigned

https://lists.apache.org/thread/o1bvyv9wnfkx7dxpfjlor20nykgsoh6r Mailing List

Apache Software Foundation http://www.openwall.com/lists/oss-security/2024/01/29/1 [No types assigned]

Apache Software Foundation CWE-522

In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.properties and potentially the containing credentials.

To avoid this threat, users are recommended to 

  *  Always turn on HTTPS so that network payload

Apache Software Foundation https://lists.apache.org/thread/o1bvyv9wnfkx7dxpfjlor20nykgsoh6r [No types assigned]