7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-45458

GHSA ID

GHSA-9fj5-jg6f-qg5r

EPSS Score

0.69866%

CWE

CWE-326

Published

1/8/2022

Updated

7/21/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-45458

CVE-2021-45458: Use of Hard-coded Credentials in Apache Kylin

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-45458

GHSA ID

GHSA-9fj5-jg6f-qg5r

EPSS Score

0.69866%

CWE

CWE-326

Published

1/8/2022

Updated

7/21/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.kylin:kylin	maven	< 3.1.3	3.1.3
org.apache.kylin:kylin	maven	= 4.0.0	4.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the use of static cryptographic parameters in PasswordPlaceholderConfigurer. Both encrypt() and decrypt() functions initialize the cipher with hardcoded values (key/IV), as confirmed by the CVE description and patch references. The patches (PR#1781/PR#1782) likely address this by making these parameters configurable. The functions are explicitly tied to the insecure encryption mechanism described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Kylin provi**s *n*ryption *l*ss*s P*sswor*Pl****ol**r*on*i*ur*r to **lp us*rs *n*rypt t**ir p*sswor*s. In t** *n*ryption *l*orit*m us** *y t*is *n*ryption *l*ss, t** *ip**r is initi*liz** wit* * **r**o*** k*y *n* IV. I* us*rs us* *l*ss P*sswor

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* st*ti* *rypto*r*p*i* p*r*m*t*rs in `P*sswor*Pl****ol**r*on*i*ur*r`. *ot* `*n*rypt()` *n* `***rypt()` *un*tions initi*liz* t** *ip**r wit* **r**o*** v*lu*s (k*y/IV), *s *on*irm** *y t** *V* **s*ription *n* p*t**

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-45458: Use of Hard-coded Credentials in Apache Kylin

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI