Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Oct 2020 20:00:21 +0800 (CST)
From: "Xiaoxiang Yu" <xxyu@...che.org>
To: info@...rlabs.sg, user@...in.apache.org, dev@...in.apache.org, 
	oss-security@...ts.openwall.com, security@...che.org
Subject: [SECURITY][CVE-2020-13937] Unauthenticated Configuration Disclosure

Versions Affected:

Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha.




Description:

Kylin has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone.




Mitigation:

Users could edit "$KYLIN_HOME/WEB-INF/classes/kylinSecurity.xml", and remove this line "<scr:intercept-url pattern="/api/admin/config" access="permitAll"/>". After that,  restart all Kylin instances to make it effective.

Otherwise, you can upgrade Kylin to 3.1.1.




Credit:

This issue was discovered by Ngo Wei Lin (@Creastery) of STAR Labs (@starlabs_sg).

--

Best wishes to you ! 
From ´╝ÜXiaoxiang Yu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.