Information Exposure Affecting org.apache.kylin:kylin-server package, versions [,3.1.3) [4.0.0-alpha,4.0.1)


0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.18% (54th percentile)
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGAPACHEKYLIN-2331052
  • published 6 Jan 2022
  • disclosed 6 Jan 2022
  • credit Alvaro Munoz

How to fix?

Upgrade org.apache.kylin:kylin-server to version 3.1.3, 4.0.1 or higher.

Overview

org.apache.kylin:kylin-server is an analytics Engine, contributed by eBay Inc., provides SQL interface and multi-dimensional analysis (OLAP) on Hadoop supporting extremely large datasets.

Affected versions of this package are vulnerable to Information Exposure due to the reflection of the Origin header, which allow credentials to be sent cross-origin in the default configuration.

PoC:

// request:

OPTIONS /kylin/api/projects HTTP/1.1 Host: localhost:7070 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type Referer: http://b49b-95-62-58-48.ngrok.io/ Origin: http://b49b-95-62-58-48.ngrok.io Connection: keep-alive Cache-Control: max-age=0

// reply:

HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Access-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io Access-Control-Allow-Credentials: true Vary: Origin Access-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT Access-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type Content-Length: 0