CVE-2021-27738 — Server-Side Request Forgery in Apache Kylin

Description

All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.

How to fix CVE-2021-27738

To remediate CVE-2021-27738, upgrade the affected package to a fixed version below.

—upgrade to 3.1.3 or later

Is CVE-2021-27738 being exploited?

Low — EPSS is 2.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.1.3

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-27738
PATCHgithub.com/apache/kylin
WEBgithub.com/apache/kylin/pull/1646
WEBlists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70
WEB