Hardcoded credentials
Description
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Kylin's PasswordPlaceholderConfigurer uses a hardcoded key and IV, enabling attackers to decrypt passwords stored in configuration files.
Vulnerability
Apache Kylin's PasswordPlaceholderConfigurer class, intended to encrypt user passwords, initializes its cipher with a hardcoded encryption key and initialization vector (IV). This design flaw means that any password encrypted with this class can be decrypted by anyone who knows the hardcoded values. The vulnerability affects Apache Kylin versions 2.6.6 and prior, 3.1.2 and prior, and 4.0.0 and prior [1][3].
Exploitation
An attacker with read access to Kylin's configuration file (e.g., kylin.properties) can extract the encrypted password string. Because the encryption algorithm and its hardcoded key/IV are publicly known or reverse-engineerable from the source code, the attacker can decrypt the password offline without needing any authentication or special privileges beyond file read access [1][3].
Impact
Successful decryption of a stored password leads to disclosure of sensitive credentials. The attacker can then use the cleartext password to gain unauthorized access to Kylin's data sources or internal services, resulting in information disclosure and potential privilege escalation within the affected system [1].
Mitigation
Users of Kylin 2.x and 3.x should upgrade to version 3.1.3 or apply the patch available at the GitHub pull request [3][4]. For Kylin 4.x, users should upgrade to version 4.0.1 or apply the corresponding patch [3][4]. No workaround for unpatched versions is provided in the references; users must avoid hardcoding passwords or use a separate secure secrets management mechanism.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylinMaven | < 3.1.3 | 3.1.3 |
org.apache.kylin:kylinMaven | >= 4.0.0, < 4.0.1 | 4.0.1 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: Apache Kylin 2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-9fj5-jg6f-qg5rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45458ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/06/3ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2022/01/06/7ghsamailing-listx_refsource_MLISTWEB
- github.com/apache/kylin/pull/1781ghsaWEB
- github.com/apache/kylin/pull/1782ghsaWEB
- lists.apache.org/thread/oof215qz188k16vhlo97cm1jksxdowfyghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.