CVE-2021-45457: 
Java vulnerability analysis and mitigation

In Apache Kylin, a vulnerability was identified where cross-origin requests with credentials were allowed to be sent from any origin. This security issue affects multiple versions including Apache Kylin 2 version 2.6.6 and prior versions, Apache Kylin 3 version 3.1.2 and prior versions, and Apache Kylin 4 version 4.0.0 and prior versions. The vulnerability was disclosed in January 2022 and assigned CVE-2021-45457 (NVD, GitHub Lab).

The vulnerability stems from an overly broad CORS (Cross-Origin Resource Sharing) configuration where Kylin reflects the Origin header and allows credentials to be sent cross-origin in the default configuration. The system responds to preflight OPTIONS requests by setting Access-Control-Allow-Origin to match the requesting origin and Access-Control-Allow-Credentials to true, effectively allowing cross-origin requests with credentials from any origin. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows cross-origin requests with credentials to be sent from any origin, potentially exposing sensitive information to unauthorized domains. This could lead to unauthorized access to user data and potential information disclosure when combined with other vulnerabilities (GitHub Lab).

Users of Kylin 2.x and 3.x are advised to upgrade to version 3.1.3 or apply the patch available at https://github.com/apache/kylin/pull/1782. Users of Kylin 4.x should upgrade to version 4.0.1 or apply the patch available at https://github.com/apache/kylin/pull/1781 (OSS Security).