High severityNVD Advisory· Published Jan 29, 2024· Updated Jun 20, 2025

Apache Kylin: Insufficiently protected credentials in config file

CVE-2023-29055

Description

Apache Kylin Server Config web interface exposes kylin.properties containing credentials, allowing network sniffers over HTTP to capture them.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Kylin Server Config web interface exposes kylin.properties containing credentials, allowing network sniffers over HTTP to capture them.

In Apache Kylin versions 2.0.0 through 4.0.3, the Server Config web interface displays the content of the kylin.properties file, which may contain server-side credentials. This exposure occurs because the interface naively serves the file contents without filtering sensitive data [1][3].

When the Kylin service runs over HTTP (or other plain text protocol), an attacker on the network can perform sniffing to intercept the HTTP payload and thereby access the credentials contained in kylin.properties [1][3]. No authentication is required to view the Server Config page if it is accessible.

An attacker who obtains credentials can potentially gain unauthorized access to the Kylin system and underlying data, leading to a breach of confidentiality and potential further compromise [3].

To mitigate this issue, users should upgrade to Apache Kylin version 4.0.4, which filters out sensitive content (e.g., entries containing "password") from the Server Config interface [4]. It is also recommended to enable HTTPS to encrypt network traffic, avoid storing credentials in kylin.properties, and use network firewalls to restrict access [1][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.kylin:kylin-core-commonMaven	>= 2.0.0, < 4.0.4	4.0.4

Affected products

ghsa-coords
pkg:maven/org.apache.kylin/kylin-core-common
Range: >= 2.0.0, < 4.0.4
Apache Software Foundation/Apache Kylinv5
Range: 2.0.0

Patches

b60d5ae694df

Minor fix

https://github.com/apache/kylinXiaoxiangYuJul 13, 2023via ghsa

commit

1 file changed · +3 −0

core-common/src/main/java/org/apache/kylin/common/KylinConfig.java+3 −0 modified

@@ -551,6 +551,9 @@ public String exportAllToString() {
         for (Map.Entry<Object, Object> entry : allProps.entrySet()) {
             String key = entry.getKey().toString();
             String value = entry.getValue().toString();
+            if (key.contains("password") || value.contains("password")) {
+                continue;
+            }
             orderedProperties.setProperty(key, value);
         }
         // Reset some properties which might be overriden by system properties

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3vvc-v8c2-43r7ghsaADVISORY
lists.apache.org/thread/o1bvyv9wnfkx7dxpfjlor20nykgsoh6rghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-29055ghsaADVISORY
www.openwall.com/lists/oss-security/2024/01/29/1ghsaWEB
github.com/apache/kylin/commit/b60d5ae694dffc2281bfe0ef464eada0b3a9b774ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000