CVE-2021-27738

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.

Published: Jan 6, 2022
Updated: May 9, 2024
CVE: CVE-2021-27738
GHSA: GHSA-wrx7-qgmj-mf2q
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-918

Affected Software
References

Software	From	Fixed in
apache / kylin	3.0.0	3.1.2
org.apache.kylin / kylin	-	3.1.3

http://www.openwall.com/lists/oss-security/2022/01/06/6
https://github.com/apache/kylin/pull/1646
https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70

Vulnerability Database

CVE-2021-27738

Deep Security Visibility Without the Complexity