CVE-2021-45458

CVE-2021-45458: Hardcoded credentials

Vendor Apache Software Foundation
Product Apache Kylin
Weakness CWE-798 · Hardcoded credentials
Published January 6, 2022
Last update August 4, 2024

CVSS base score

What the vulnerability does

01Description

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

Key dates

02Disclosure timeline

January 6, 2022 CVE published
August 4, 2024 Record updated