admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2022-01-06 13:01:16 +00:00
parent 11e4a70385
commit 98ac7cdde1
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
11 changed files with 194 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
2021/27xxx/CVE-2021-27738.json
View File

@ -43,7 +43,7 @@
"description_data": [
{
"lang": "eng",
"value": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.\n\nFor endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved.\n\nThis issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2."
"value": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2."
}
]
},
@ -70,8 +70,9 @@
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"
"refsource": "MISC",
"url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70",
"name": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"
}
]
},
@ -84,4 +85,4 @@
"value": "Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646."
}
]
}
}

9
2021/31xxx/CVE-2021-31522.json
View File

@ -53,7 +53,7 @@
"description_data": [
{
"lang": "eng",
"value": "Kylin can receive user input and load any class through Class.forName(...).\nThis issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
"value": "Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
}
]
},
@ -80,8 +80,9 @@
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw"
"refsource": "MISC",
"url": "https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw",
"name": "https://lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw"
}
]
},
@ -94,4 +95,4 @@
"value": "Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1695.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1763."
}
]
}
}

9
2021/36xxx/CVE-2021-36774.json
View File

@ -48,7 +48,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. \nThis issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions."
"value": "Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions."
}
]
},
@ -75,8 +75,9 @@
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow"
"refsource": "MISC",
"url": "https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow",
"name": "https://lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2ow"
}
]
},
@ -89,4 +90,4 @@
"value": "Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1694."
}
]
}
}

61
2021/44xxx/CVE-2021-44584.json
View File

@ -1,17 +1,66 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-44584",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-44584",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Cross-site scripting (XSS) vulnerability in index.php in emlog version <= pro-1.0.7 allows remote attackers to inject arbitrary web script or HTML via the s parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://github.com/emlog/emlog/issues/113",
"refsource": "MISC",
"name": "https://github.com/emlog/emlog/issues/113"
},
{
"url": "https://github.com/emlog/emlog/commit/3f89610f721120ded3ff491cb9cd99d9927c7582",
"refsource": "MISC",
"name": "https://github.com/emlog/emlog/commit/3f89610f721120ded3ff491cb9cd99d9927c7582"
}
]
}

61
2021/44xxx/CVE-2021-44878.json
View File

@ -1,17 +1,66 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-44878",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-44878",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Pac4j v5.1 and earlier allows (by default) clients to accept and successfully validate ID Tokens with \"none\" algorithm (i.e., tokens with no signature) which is not secure and violates the OpenID Core Specification. The \"none\" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using \"none\" as the value of \"alg\" key in the header with an empty signature value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae",
"refsource": "MISC",
"name": "https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae"
},
{
"url": "https://openid.net/specs/openid-connect-core-1_0.html#IDToken",
"refsource": "MISC",
"name": "https://openid.net/specs/openid-connect-core-1_0.html#IDToken"
}
]
}

9
2021/45xxx/CVE-2021-45456.json
View File

@ -43,7 +43,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability.\nThis issue affects Apache Kylin 4.0.0."
"value": "Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0."
}
]
},
@ -70,8 +70,9 @@
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf"
"refsource": "MISC",
"url": "https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf",
"name": "https://lists.apache.org/thread/70fkf9w1swt2cqdcz13rwfjvblw1fcpf"
}
]
},
@ -84,4 +85,4 @@
"value": "Users of Kylin 4.0.0 should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781."
}
]
}
}

9
2021/45xxx/CVE-2021-45457.json
View File

@ -53,7 +53,7 @@
"description_data": [
{
"lang": "eng",
"value": "In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin.\n\nThis issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
"value": "In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
}
]
},
@ -80,8 +80,9 @@
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m"
"refsource": "MISC",
"url": "https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m",
"name": "https://lists.apache.org/thread/rzv4mq58okwj1n88lry82ol2wwm57q1m"
}
]
},
@ -94,4 +95,4 @@
"value": "\nKylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request:\n```\nOPTIONS /kylin/api/projects HTTP/1.1\nHost: localhost:7070\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0\nAccept: */*\nAccept-Language: en-US\nAccept-Encoding: gzip, deflate\nAccess-Control-Request-Method: POST\nAccess-Control-Request-Headers: content-type\nReferer: http://b49b-95-62-58-48.ngrok.io/\nOrigin: http://b49b-95-62-58-48.ngrok.io\nConnection: keep-alive\nCache-Control: max-age=0\n```\n\nWill be replied with:\n\n```\nHTTP/1.1 200 OK\nServer: Apache-Coyote/1.1\nAccess-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io\nAccess-Control-Allow-Credentials: true\nVary: Origin\nAccess-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT\nAccess-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type\nContent-Length: 0\n```\n\nUsers of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781."
}
]
}
}

9
2021/45xxx/CVE-2021-45458.json
View File

@ -53,7 +53,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted.\nThis issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
"value": "Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions."
}
]
},
@ -80,8 +80,9 @@
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"
"refsource": "MISC",
"url": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy",
"name": "https://lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfy"
}
]
},
@ -94,4 +95,4 @@
"value": "Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.\nUsers of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.\n\nAfter upgrading, users can configure the value of `kylin.security.encrypt.cipher.ivSpec` in kylin.properties for encryption algorithm, and then re-encrypt the password they need to encrypt."
}
]
}
}

18
2022/0xxx/CVE-2022-0133.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-0133",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/0xxx/CVE-2022-0134.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-0134",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2022/22xxx/CVE-2022-22719.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-22719",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}