CVE-2021-27738 - OpenCVE

All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Kylin

Configuration 1 [-]

cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/01/06/6
https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-06T12:35:17

Updated: 2024-08-03T21:26:10.756Z

Reserved: 2021-02-26T00:00:00

Link: CVE-2021-27738

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-06T13:15:07.967

Modified: 2022-01-13T18:04:21.017

Link: CVE-2021-27738

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Kylin", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.1.2", "status": "affected", "version": "Apache Kylin 3", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Wei Lin Ngo <ngo.weilin@starlabs.sg>"}], "descriptions": [{"lang": "en", "value": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-06T15:06:12", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"}, {"name": "[oss-security] 20220106 CVE-2021-27738: Apache Kylin: Improper Access Control to Streaming Coordinator & SSRF", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/06/6"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper Access Control to Streaming Coordinator & SSRF", "workarounds": [{"lang": "en", "value": "Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-27738", "STATE": "PUBLIC", "TITLE": "Improper Access Control to Streaming Coordinator & SSRF"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Kylin", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Kylin 3", "version_value": "3.1.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Wei Lin Ngo <ngo.weilin@starlabs.sg>"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70", "refsource": "MISC", "url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"}, {"name": "[oss-security] 20220106 CVE-2021-27738: Apache Kylin: Improper Access Control to Streaming Coordinator & SSRF", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/06/6"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:26:10.756Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"}, {"name": "[oss-security] 20220106 CVE-2021-27738: Apache Kylin: Improper Access Control to Streaming Coordinator & SSRF", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/06/6"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-27738", "datePublished": "2022-01-06T12:35:17", "dateReserved": "2021-02-26T00:00:00", "dateUpdated": "2024-08-03T21:26:10.756Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*", "matchCriteriaId": "48BA5B55-79AE-4B6A-A367-0DE069E9BD12", "versionEndExcluding": "3.1.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2."}, {"lang": "es", "value": "Todos los mapeos de peticiones en \"StreamingCoordinatorController.java\" que manejan los endpoints de la API REST \"/kylin/api/streaming_coordinator/*\" no inclu\u00edan ninguna comprobaci\u00f3n de seguridad, lo que permit\u00eda a un usuario no autenticado emitir peticiones arbitrarias, como la asignaci\u00f3n/desasignaci\u00f3n de cubos de streaming, la creaci\u00f3n/modificaci\u00f3n y la eliminaci\u00f3n de conjuntos de r\u00e9plicas, al Coordinador de Kylin. Para los endpoints que aceptan detalles de nodos en el cuerpo del mensaje HTTP, puede lograrse un ataque de tipo server-side request forgery (SSRF) no autenticado (pero limitado). Este problema afecta a Apache Kylin versiones 3 anteriores a la 3.1.2."}], "id": "CVE-2021-27738", "lastModified": "2022-01-13T18:04:21.017", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-06T13:15:07.967", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/06/6"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@apache.org", "type": "Secondary"}]}