Insecure Encryption Affecting org.apache.kylin:kylin-core-common package, versions [,3.1.3) [4.0.0-alpha,4.0.1)


0.0
medium

Snyk CVSS

    Attack Complexity High
    Privileges Required High
    User Interaction Required
    Confidentiality High

    Threat Intelligence

    EPSS 0.24% (64th percentile)
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGAPACHEKYLIN-2331003
  • published 6 Jan 2022
  • disclosed 6 Jan 2022
  • credit Alvaro Munoz

How to fix?

Upgrade org.apache.kylin:kylin-core-common to version 3.1.3, 4.0.1 or higher.

Overview

org.apache.kylin:kylin-core-common is a package part of Apache Kylin.

Affected versions of this package are vulnerable to Insecure Encryption. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted.