GHSA-9fj5-jg6f-qg5r
GitHub Security Advisory
Use of Hard-coded Credentials in Apache Kylin
✓ GitHub Reviewed
HIGH
Has CVE
Advisory Details
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
Affected Packages
Maven
org.apache.kylin:kylin
Affected versions:
0
(fixed in 3.1.3)
Maven
org.apache.kylin:kylin
Affected versions:
4.0.0
(fixed in 4.0.1)
Related CVEs
Key Information
7.5
/10
Dataset
Last updated: July 28, 2025 6:37 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.