| { |
| "containers": { |
| "cna": { |
| "affected": [ |
| { |
| "product": "Apache Kylin", |
| "vendor": "Apache Software Foundation", |
| "versions": [ |
| { |
| "lessThan": "3.1.2", |
| "status": "affected", |
| "version": "Apache Kylin 3", |
| "versionType": "custom" |
| } |
| ] |
| } |
| ], |
| "credits": [ |
| { |
| "lang": "en", |
| "value": "Wei Lin Ngo <ngo.weilin@starlabs.sg>" |
| } |
| ], |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.\n\nFor endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved.\n\nThis issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2." |
| } |
| ], |
| "metrics": [ |
| { |
| "other": { |
| "content": { |
| "other": "moderate" |
| }, |
| "type": "unknown" |
| } |
| } |
| ], |
| "problemTypes": [ |
| { |
| "descriptions": [ |
| { |
| "cweId": "CWE-918", |
| "description": "CWE-918 Server-Side Request Forgery (SSRF)", |
| "lang": "en", |
| "type": "CWE" |
| } |
| ] |
| } |
| ], |
| "providerMetadata": { |
| "orgId": "Not found", |
| "shortName": "Not found" |
| }, |
| "references": [ |
| { |
| "tags": [ |
| "x_refsource_CONFIRM" |
| ], |
| "url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70" |
| } |
| ], |
| "source": { |
| "discovery": "UNKNOWN" |
| }, |
| "title": "Improper Access Control to Streaming Coordinator & SSRF", |
| "workarounds": [ |
| { |
| "lang": "en", |
| "value": "Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646." |
| } |
| ], |
| "x_ValidationErrors": [ |
| "$.cveMetadata.assignerOrgId -- validator = pattern", |
| "$.containers.cna.providerMetadata.orgId -- validator = pattern" |
| ], |
| "x_generator": { |
| "engine": "Vulnogram 0.0.9" |
| }, |
| "x_legacyV4Record": { |
| "CNA_private": { |
| "CVE_list": [], |
| "CVE_table_description": [], |
| "email": "xxyu@apache.org", |
| "emailed": "", |
| "internal_comments": "", |
| "owner": "kylin", |
| "publish": { |
| "month": "", |
| "year": "", |
| "ym": "" |
| }, |
| "share_with_CVE": true, |
| "todo": [], |
| "userslist": "dev@undefined.apache.org" |
| }, |
| "CVE_data_meta": { |
| "AKA": "", |
| "ASSIGNER": "security@apache.org", |
| "DATE_PUBLIC": "", |
| "ID": "CVE-2021-27738", |
| "STATE": "PUBLIC", |
| "TITLE": "Improper Access Control to Streaming Coordinator & SSRF" |
| }, |
| "affects": { |
| "vendor": { |
| "vendor_data": [ |
| { |
| "product": { |
| "product_data": [ |
| { |
| "product_name": "Apache Kylin", |
| "version": { |
| "version_data": [ |
| { |
| "platform": "", |
| "version_affected": "<", |
| "version_name": "Apache Kylin 3", |
| "version_value": "3.1.2" |
| } |
| ] |
| } |
| } |
| ] |
| }, |
| "vendor_name": "Apache Software Foundation" |
| } |
| ] |
| } |
| }, |
| "configuration": [], |
| "credit": [ |
| { |
| "lang": "eng", |
| "value": "Wei Lin Ngo <ngo.weilin@starlabs.sg>" |
| } |
| ], |
| "data_format": "MITRE", |
| "data_type": "CVE", |
| "data_version": "4.0", |
| "description": { |
| "description_data": [ |
| { |
| "lang": "eng", |
| "value": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.\n\nFor endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved.\n\nThis issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2." |
| } |
| ] |
| }, |
| "exploit": [], |
| "generator": { |
| "engine": "Vulnogram 0.0.9" |
| }, |
| "impact": [ |
| { |
| "other": "moderate" |
| } |
| ], |
| "problemtype": { |
| "problemtype_data": [ |
| { |
| "description": [ |
| { |
| "lang": "eng", |
| "value": "CWE-918 Server-Side Request Forgery (SSRF)" |
| } |
| ] |
| } |
| ] |
| }, |
| "references": { |
| "reference_data": [ |
| { |
| "name": "", |
| "refsource": "CONFIRM", |
| "url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70" |
| } |
| ] |
| }, |
| "solution": [], |
| "source": { |
| "advisory": "", |
| "defect": [], |
| "discovery": "UNKNOWN" |
| }, |
| "timeline": [], |
| "work_around": [ |
| { |
| "lang": "en", |
| "value": "Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646." |
| } |
| ] |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "Not found", |
| "assignerShortName": "Not found", |
| "cveId": "CVE-2021-27738", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
