CVE-2021-45457 in Kylin
Summary
by MITRE • 01/06/2022
In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/09/2022
The vulnerability identified as CVE-2021-45457 represents a critical cross-origin resource sharing (CORS) misconfiguration in Apache Kylin, a distributed analytics engine that provides SQL-like query capabilities over big data platforms. This flaw allows malicious actors to exploit the system's CORS policy by sending cross-origin requests with credentials from any origin, effectively bypassing the security mechanisms designed to prevent unauthorized access to protected resources. The vulnerability affects multiple major versions of Apache Kylin including versions 2.6.6 and earlier, 3.1.2 and earlier, and 4.0.0 and earlier, indicating a widespread impact across the product's lifecycle.
The technical nature of this vulnerability stems from improper implementation of CORS headers within the Apache Kylin web application framework. When a web application receives a cross-origin request with credentials, it should validate the requesting origin against a predefined whitelist of trusted domains. However, in affected versions of Apache Kylin, the system fails to enforce such validation, allowing any external domain to send authenticated requests that could potentially access sensitive data or perform unauthorized operations. This misconfiguration creates a pathway for attackers to leverage legitimate user sessions and credentials to interact with the Kylin application from malicious domains.
The operational impact of this vulnerability is significant as it enables attackers to perform cross-site request forgery attacks and potentially gain unauthorized access to analytical data and system functionalities. An attacker could craft malicious web pages that automatically send authenticated requests to the vulnerable Apache Kylin instance, potentially leading to data exfiltration, unauthorized data manipulation, or privilege escalation. The vulnerability particularly affects environments where Apache Kylin serves sensitive business intelligence data, as the lack of proper CORS restrictions could allow unauthorized parties to access analytical datasets that should remain protected within the organization's network perimeter. This weakness directly violates the principle of least privilege and can result in substantial data loss or compromise of analytical insights.
Organizations should immediately implement mitigations including updating to patched versions of Apache Kylin where available, configuring proper CORS policies with strict origin validation, and implementing additional network-level security controls such as web application firewalls. The vulnerability aligns with CWE-346, which addresses "Origin Validation Error" in security contexts, and can be categorized under ATT&CK technique T1190 for "Exploit Public-Facing Application" and T1566 for "Phishing". Administrators should also consider implementing monitoring solutions to detect anomalous cross-origin requests and establish proper access controls for the Kylin web interface, particularly when the system is exposed to untrusted networks or external users.