CVE-2020-13937

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin’s configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone.

Weakness

The software stores sensitive information without properly limiting read or write access by unauthorized actors.

Affected Software

Name	Vendor	Start Version	End Version
Kylin	Apache	2.0.0	2.0.0
Kylin	Apache	2.1.0	2.1.0
Kylin	Apache	2.2.0	2.2.0
Kylin	Apache	2.3.0	2.3.0
Kylin	Apache	2.3.1	2.3.1
Kylin	Apache	2.3.2	2.3.2
Kylin	Apache	2.4.0	2.4.0
Kylin	Apache	2.4.1	2.4.1
Kylin	Apache	2.5.0	2.5.0
Kylin	Apache	2.5.1	2.5.1
Kylin	Apache	2.5.2	2.5.2
Kylin	Apache	2.6.0	2.6.0
Kylin	Apache	2.6.1	2.6.1
Kylin	Apache	2.6.2	2.6.2
Kylin	Apache	2.6.3	2.6.3
Kylin	Apache	2.6.4	2.6.4
Kylin	Apache	2.6.5	2.6.5
Kylin	Apache	2.6.6	2.6.6
Kylin	Apache	3.0.0	3.0.0
Kylin	Apache	3.0.0	3.0.0
Kylin	Apache	3.0.0	3.0.0
Kylin	Apache	3.0.0	3.0.0
Kylin	Apache	3.0.1	3.0.1
Kylin	Apache	3.0.2	3.0.2
Kylin	Apache	3.1.0	3.1.0
Kylin	Apache	4.0.0	4.0.0

References

https://lists.apache.org/thread.html/rc592e0dcee5a2615f1d9522af30ef1822c1f863d5e05e7da9d1e57f4%40%3Cuser.kylin.apache.org%3E

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-13937
CWE	https://cwe.mitre.org/data/definitions/922.html

Insecure Storage of Sensitive Information

Weakness

Affected Software

References