Vulnerability Description
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Kylin | >= 2.0.0, <= 2.6.6 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2022/01/06/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2022/01/06/7Mailing ListThird Party Advisory
- https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfyMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2022/01/06/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2022/01/06/7Mailing ListThird Party Advisory
- https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfyMailing ListVendor Advisory
FAQ
What is CVE-2021-45458?
CVE-2021-45458 is a vulnerability with a CVSS score of 7.5 (HIGH). Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with ...
How severe is CVE-2021-45458?
CVE-2021-45458 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-45458?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Kylin.