Overly broad CORS configuration

Vulnerability

Apache Kylin versions 2.6.6 and prior, 3.1.2 and prior, and 4.0.0 and prior contain an overly broad Cross-Origin Resource Sharing (CORS) configuration. The server reflects the Origin header in the Access-Control-Allow-Origin response and sets Access-Control-Allow-Credentials to true, allowing cross-origin requests with credentials from any origin [1][3]. No special configuration is required to reach the vulnerable code path, as this is the default CORS policy.

Exploitation

An attacker hosting a malicious website can craft a preflight OPTIONS request to a Kylin endpoint, which will be responded to with the reflected origin and credentials allowed. Subsequent authenticated requests from the attacker’s site can include Kylin session cookies or other credentials, enabling cross-origin data access. The attacker needs no prior authentication to Kylin; they only need to lure a logged-in Kylin user to visit the malicious site [3].

Impact

Successful exploitation allows the attacker to perform actions on the Kylin API as the victim user, potentially leading to unauthorized information disclosure, data modification, or other operations depending on the victim’s privileges. Since credentials are forwarded, any API endpoint that the victim can access may be invoked cross-origin.

Mitigation

A fix has been proposed in pull request #1781 on GitHub to restrict the CORS configuration [4]. As of the publication date (2022-01-06), a patched version has not been released. Administrators should restrict the Access-Control-Allow-Origin header to trusted origins, for example by configuring a whitelist in the Kylin server settings. This CVE is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.