[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-29055: Apache Kylin: Insufficiently protected credentials in config file
From: Li Yang <liyang () apache ! org>
Date: 2024-01-29 11:06:04
Message-ID: 4614723d-7b0e-2a49-5f7a-0b011744eb60 () apache ! org
[Download RAW message or body]
Severity: low
Affected versions:
- Apache Kylin 2.0.0 through 4.0.3
Description:
In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays \
the content of file 'kylin.properties', that may contain serverside credentials. When the kylin \
service runs over HTTP (or other plain text protocol), it is possible for network sniffers to \
hijack the HTTP payload and get access to the content of kylin.properties and potentially the \
containing credentials.
To avoid this threat, users are recommended to
* Always turn on HTTPS so that network payload is encrypted.
* Avoid putting credentials in kylin.properties, or at least not in plain text.
* Use network firewalls to protect the serverside such that it is not accessible to external \
attackers.
* Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes \
to the Server Config web interface.
Credit:
Li Jiakun <2839549219@qq.com> (reporter)
References:
https://kylin.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-29055
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic