static/projects/kylin/CVE-2021-45457.cve.json - security-site - Git at Google

 {
   "containers": {
     "cna": {
       "affected": [
         {
           "product": "Apache Kylin",
           "vendor": "Apache Software Foundation",
           "versions": [
             {
               "lessThanOrEqual": "2.6.6",
               "status": "affected",
               "version": "Apache Kylin 2",
               "versionType": "custom"
             },
             {
               "lessThanOrEqual": "3.1.2",
               "status": "affected",
               "version": "Apache Kylin 3",
               "versionType": "custom"
             },
             {
               "lessThanOrEqual": "4.0.0",
               "status": "affected",
               "version": "Apache Kylin 4",
               "versionType": "custom"
             }
           ]
         }
       ],
       "credits": [
         {
           "lang": "en",
           "value": "Alvaro Munoz <pwntester@github.com>"
         }
       ],
       "descriptions": [
         {
           "lang": "en",
           "value": "In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin.\n\nThis issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
         }
       ],
       "metrics": [
         {
           "other": {
             "content": {
               "other": "moderate"
             },
             "type": "unknown"
           }
         }
       ],
       "problemTypes": [
         {
           "descriptions": [
             {
               "description": "CORS",
               "lang": "en",
               "type": "text"
             }
           ]
         }
       ],
       "providerMetadata": {
         "orgId": "Not found",
         "shortName": "Not found"
       },
       "references": [
         {
           "tags": [
             "x_refsource_CONFIRM"
           ],
           "url": "https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m"
         }
       ],
       "source": {
         "discovery": "UNKNOWN"
       },
       "title": "Overly broad CORS configuration ",
       "workarounds": [
         {
           "lang": "en",
           "value": "\nKylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request:\n```\nOPTIONS /kylin/api/projects HTTP/1.1\nHost: localhost:7070\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0\nAccept: */*\nAccept-Language: en-US\nAccept-Encoding: gzip, deflate\nAccess-Control-Request-Method: POST\nAccess-Control-Request-Headers: content-type\nReferer: http://b49b-95-62-58-48.ngrok.io/\nOrigin: http://b49b-95-62-58-48.ngrok.io\nConnection: keep-alive\nCache-Control: max-age=0\n```\n\nWill be replied with:\n\n```\nHTTP/1.1 200 OK\nServer: Apache-Coyote/1.1\nAccess-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io\nAccess-Control-Allow-Credentials: true\nVary: Origin\nAccess-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT\nAccess-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type\nContent-Length: 0\n```\n\nUsers of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781."
         }
       ],
       "x_ValidationErrors": [
         "$.cveMetadata.assignerOrgId -- validator = pattern",
         "$.containers.cna.providerMetadata.orgId -- validator = pattern"
       ],
       "x_generator": {
         "engine": "Vulnogram 0.0.9"
       },
       "x_legacyV4Record": {
         "CNA_private": {
           "CVE_list": [],
           "CVE_table_description": [],
           "email": "",
           "emailed": "",
           "internal_comments": "",
           "owner": "kylin",
           "publish": {
             "month": "",
             "year": "",
             "ym": ""
           },
           "share_with_CVE": true,
           "todo": [],
           "userslist": "dev@kylin.apache.org"
         },
         "CVE_data_meta": {
           "AKA": "",
           "ASSIGNER": "security@apache.org",
           "DATE_PUBLIC": "",
           "ID": "CVE-2021-45457",
           "STATE": "PUBLIC",
           "TITLE": "Overly broad CORS configuration "
         },
         "affects": {
           "vendor": {
             "vendor_data": [
               {
                 "product": {
                   "product_data": [
                     {
                       "product_name": "Apache Kylin",
                       "version": {
                         "version_data": [
                           {
                             "platform": "",
                             "version_affected": "<=",
                             "version_name": "Apache Kylin 2",
                             "version_value": "2.6.6"
                           },
                           {
                             "platform": "",
                             "version_affected": "<=",
                             "version_name": "Apache Kylin 3",
                             "version_value": "3.1.2"
                           },
                           {
                             "platform": "",
                             "version_affected": "<=",
                             "version_name": "Apache Kylin 4",
                             "version_value": "4.0.0"
                           }
                         ]
                       }
                     }
                   ]
                 },
                 "vendor_name": "Apache Software Foundation"
               }
             ]
           }
         },
         "configuration": [],
         "credit": [
           {
             "lang": "eng",
             "value": "Alvaro Munoz <pwntester@github.com>"
           }
         ],
         "data_format": "MITRE",
         "data_type": "CVE",
         "data_version": "4.0",
         "description": {
           "description_data": [
             {
               "lang": "eng",
               "value": "In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin.\n\nThis issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
             }
           ]
         },
         "exploit": [],
         "generator": {
           "engine": "Vulnogram 0.0.9"
         },
         "impact": [
           {
             "other": "moderate"
           }
         ],
         "problemtype": {
           "problemtype_data": [
             {
               "description": [
                 {
                   "lang": "eng",
                   "value": "CORS"
                 }
               ]
             }
           ]
         },
         "references": {
           "reference_data": [
             {
               "name": "",
               "refsource": "CONFIRM",
               "url": "https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m"
             }
           ]
         },
         "solution": [],
         "source": {
           "advisory": "",
           "defect": [],
           "discovery": "UNKNOWN"
         },
         "timeline": [],
         "work_around": [
           {
             "lang": "en",
             "value": "\nKylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request:\n```\nOPTIONS /kylin/api/projects HTTP/1.1\nHost: localhost:7070\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0\nAccept: */*\nAccept-Language: en-US\nAccept-Encoding: gzip, deflate\nAccess-Control-Request-Method: POST\nAccess-Control-Request-Headers: content-type\nReferer: http://b49b-95-62-58-48.ngrok.io/\nOrigin: http://b49b-95-62-58-48.ngrok.io\nConnection: keep-alive\nCache-Control: max-age=0\n```\n\nWill be replied with:\n\n```\nHTTP/1.1 200 OK\nServer: Apache-Coyote/1.1\nAccess-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io\nAccess-Control-Allow-Credentials: true\nVary: Origin\nAccess-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT\nAccess-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type\nContent-Length: 0\n```\n\nUsers of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781."
           }
         ]
       }
     }
   },
   "cveMetadata": {
     "assignerOrgId": "Not found",
     "assignerShortName": "Not found",
     "cveId": "CVE-2021-45457",
     "state": "PUBLISHED"
   },
   "dataType": "CVE_RECORD",
   "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"affected": [
	{
	"product": "Apache Kylin",
	"vendor": "Apache Software Foundation",
	"versions": [
	{
	"lessThanOrEqual": "2.6.6",
	"status": "affected",
	"version": "Apache Kylin 2",
	"versionType": "custom"
	},
	{
	"lessThanOrEqual": "3.1.2",
	"status": "affected",
	"version": "Apache Kylin 3",
	"versionType": "custom"
	},
	{
	"lessThanOrEqual": "4.0.0",
	"status": "affected",
	"version": "Apache Kylin 4",
	"versionType": "custom"
	}
	]
	}
	],
	"credits": [
	{
	"lang": "en",
	"value": "Alvaro Munoz <pwntester@github.com>"
	}
	],
	"descriptions": [
	{
	"lang": "en",
	"value": "In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin.\n\nThis issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
	}
	],
	"metrics": [
	{
	"other": {
	"content": {
	"other": "moderate"
	},
	"type": "unknown"
	}
	}
	],
	"problemTypes": [
	{
	"descriptions": [
	{
	"description": "CORS",
	"lang": "en",
	"type": "text"
	}
	]
	}
	],
	"providerMetadata": {
	"orgId": "Not found",
	"shortName": "Not found"
	},
	"references": [
	{
	"tags": [
	"x_refsource_CONFIRM"
	],
	"url": "https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m"
	}
	],
	"source": {
	"discovery": "UNKNOWN"
	},
	"title": "Overly broad CORS configuration ",
	"workarounds": [
	{
	"lang": "en",
	"value": "\nKylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request:\n```\nOPTIONS /kylin/api/projects HTTP/1.1\nHost: localhost:7070\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0\nAccept: /\nAccept-Language: en-US\nAccept-Encoding: gzip, deflate\nAccess-Control-Request-Method: POST\nAccess-Control-Request-Headers: content-type\nReferer: http://b49b-95-62-58-48.ngrok.io/\nOrigin: http://b49b-95-62-58-48.ngrok.io\nConnection: keep-alive\nCache-Control: max-age=0\n```\n\nWill be replied with:\n\n```\nHTTP/1.1 200 OK\nServer: Apache-Coyote/1.1\nAccess-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io\nAccess-Control-Allow-Credentials: true\nVary: Origin\nAccess-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT\nAccess-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type\nContent-Length: 0\n```\n\nUsers of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781."
	}
	],
	"x_ValidationErrors": [
	"$.cveMetadata.assignerOrgId -- validator = pattern",
	"$.containers.cna.providerMetadata.orgId -- validator = pattern"
	],
	"x_generator": {
	"engine": "Vulnogram 0.0.9"
	},
	"x_legacyV4Record": {
	"CNA_private": {
	"CVE_list": [],
	"CVE_table_description": [],
	"email": "",
	"emailed": "",
	"internal_comments": "",
	"owner": "kylin",
	"publish": {
	"month": "",
	"year": "",
	"ym": ""
	},
	"share_with_CVE": true,
	"todo": [],
	"userslist": "dev@kylin.apache.org"
	},
	"CVE_data_meta": {
	"AKA": "",
	"ASSIGNER": "security@apache.org",
	"DATE_PUBLIC": "",
	"ID": "CVE-2021-45457",
	"STATE": "PUBLIC",
	"TITLE": "Overly broad CORS configuration "
	},
	"affects": {
	"vendor": {
	"vendor_data": [
	{
	"product": {
	"product_data": [
	{
	"product_name": "Apache Kylin",
	"version": {
	"version_data": [
	{
	"platform": "",
	"version_affected": "<=",
	"version_name": "Apache Kylin 2",
	"version_value": "2.6.6"
	},
	{
	"platform": "",
	"version_affected": "<=",
	"version_name": "Apache Kylin 3",
	"version_value": "3.1.2"
	},
	{
	"platform": "",
	"version_affected": "<=",
	"version_name": "Apache Kylin 4",
	"version_value": "4.0.0"
	}
	]
	}
	}
	]
	},
	"vendor_name": "Apache Software Foundation"
	}
	]
	}
	},
	"configuration": [],
	"credit": [
	{
	"lang": "eng",
	"value": "Alvaro Munoz <pwntester@github.com>"
	}
	],
	"data_format": "MITRE",
	"data_type": "CVE",
	"data_version": "4.0",
	"description": {
	"description_data": [
	{
	"lang": "eng",
	"value": "In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin.\n\nThis issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
	}
	]
	},
	"exploit": [],
	"generator": {
	"engine": "Vulnogram 0.0.9"
	},
	"impact": [
	{
	"other": "moderate"
	}
	],
	"problemtype": {
	"problemtype_data": [
	{
	"description": [
	{
	"lang": "eng",
	"value": "CORS"
	}
	]
	}
	]
	},
	"references": {
	"reference_data": [
	{
	"name": "",
	"refsource": "CONFIRM",
	"url": "https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m"
	}
	]
	},
	"solution": [],
	"source": {
	"advisory": "",
	"defect": [],
	"discovery": "UNKNOWN"
	},
	"timeline": [],
	"work_around": [
	{
	"lang": "en",
	"value": "\nKylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request:\n```\nOPTIONS /kylin/api/projects HTTP/1.1\nHost: localhost:7070\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0\nAccept: /\nAccept-Language: en-US\nAccept-Encoding: gzip, deflate\nAccess-Control-Request-Method: POST\nAccess-Control-Request-Headers: content-type\nReferer: http://b49b-95-62-58-48.ngrok.io/\nOrigin: http://b49b-95-62-58-48.ngrok.io\nConnection: keep-alive\nCache-Control: max-age=0\n```\n\nWill be replied with:\n\n```\nHTTP/1.1 200 OK\nServer: Apache-Coyote/1.1\nAccess-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io\nAccess-Control-Allow-Credentials: true\nVary: Origin\nAccess-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT\nAccess-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type\nContent-Length: 0\n```\n\nUsers of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781."
	}
	]
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "Not found",
	"assignerShortName": "Not found",
	"cveId": "CVE-2021-45457",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}