Date: Thu, 6 Jan 2022 19:55:31 +0800 (CST) From: "Xiaoxiang Yu" <xxyu@...che.org> To: oss-security@...ts.openwall.com Cc: pwntester@...hub.com Subject: CVE-2021-45457: Apache Kylin: Overly broad CORS configuration Severity: moderate Description: Cross-origin requests with credentials are allowed to be sent from any origin. Kylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request: ``` OPTIONS /kylin/api/projects HTTP/1.1 Host: localhost:7070 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: en-US Accept-Encoding: gzip, deflate Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type Referer: http://b49b-95-62-58-48.ngrok.io/ Origin: http://b49b-95-62-58-48.ngrok.io Connection: keep-alive Cache-Control: max-age=0 ``` Will be replied with: ``` HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Access-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io Access-Control-Allow-Credentials: true Vary: Origin Access-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT Access-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type Content-Length: 0 ``` This issue affects Apache Kylin Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions. Mitigation: Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782. Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781. Credit: Alvaro Munoz -- Best wishes to you ! From ：Xiaoxiang Yu
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.