CVE-2021-45458 is a vulnerability in Apache Kylin
Published on January 6, 2022
Hardcoded credentials
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
Weakness Type
Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Products Associated with CVE-2021-45458
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-45458 are published in Apache Kylin:
Affected Versions
Apache Software Foundation Apache Kylin:- Version Apache Kylin 2, <= 2.6.6 is affected.
- Version Apache Kylin 3, <= 3.1.2 is affected.
- Version Apache Kylin 4, <= 4.0.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.