|
Message-ID: <360777c3.7d8b.17540bb5b7a.Coremail.xxyu@apache.org> Date: Mon, 19 Oct 2020 20:00:21 +0800 (CST) From: "Xiaoxiang Yu" <xxyu@...che.org> To: info@...rlabs.sg, user@...in.apache.org, dev@...in.apache.org, oss-security@...ts.openwall.com, security@...che.org Subject: [SECURITY][CVE-2020-13937] Unauthenticated Configuration Disclosure Versions Affected: Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha. Description: Kylin has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone. Mitigation: Users could edit "$KYLIN_HOME/WEB-INF/classes/kylinSecurity.xml", and remove this line "<scr:intercept-url pattern="/api/admin/config" access="permitAll"/>". After that, restart all Kylin instances to make it effective. Otherwise, you can upgrade Kylin to 3.1.1. Credit: This issue was discovered by Ngo Wei Lin (@Creastery) of STAR Labs (@starlabs_sg). -- Best wishes to you ! From :Xiaoxiang Yu
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.