-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.kylin:kylin | maven | >= 4.0.0, < 5.0.3 | 5.0.3 |
| org.apache.kylin:kylin-core-common | maven | >= 4.0.0, < 5.0.3 | 5.0.3 |
Miggo AIRoot Cause AnalysisThe analysis of the provided patch clearly indicates that the vulnerability lies within the updateUserWithoutAuth method of the NUserController class. The patch removes this method entirely, along with the security configurations that exposed it publicly. The method's name itself, updateUserWithoutAuth, is a strong indicator of its purpose. The changes in kylinSecurity.xml and SecurityConfig.java confirm that the endpoint /api/user/update_user was intentionally left without authentication. An attacker could exploit this by sending a crafted request to this endpoint to modify user accounts, bypassing authentication mechanisms. The removal of the corresponding client function updateUser in RestClient.java further corroborates that this functionality was being removed to fix the security issue.
Ongoing coverage of React2Shell