CVE-2021-27738: Apache Kylin: Improper Access Control to Streaming Coordinator & SSRF

Xiaoxiang Yu Thu, 06 Jan 2022 03:53:28 -0800

Severity: moderate

Description:


All request mappings in `StreamingCoordinatorController.java` handling 
`/kylin/api/streaming_coordinator/*` REST API endpoints did not include any 
security checks, which allowed an unauthenticated user to issue arbitrary 
requests, such as assigning/unassigning of streaming cubes, 
creation/modification and deletion of replica sets, to the Kylin Coordinator.

For endpoints accepting node details in HTTP message body, unauthenticated (but 
limited) server-side request forgery (SSRF) can be achieved.

This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.

Mitigation:

Users of Kylin 3.x should upgrade to 3.1.3 or apply patch 
https://github.com/apache/kylin/pull/1646.

Credit:

Wei Lin Ngo --

Best wishes to you ! 
From ：Xiaoxiang Yu

CVE-2021-27738: Apache Kylin: Improper Access Control to Streaming Coordinator & SSRF

Reply via email to