CVE-2023-29055: 
Java vulnerability analysis and mitigation

CVE-2023-29055 affects Apache Kylin versions 2.0.0 through 4.0.3. The vulnerability involves a Server Config web interface that displays the content of the 'kylin.properties' file, which may contain server-side credentials. This vulnerability was discovered by Li Jiakun and was publicly disclosed on January 29, 2024 (OSS Security).

The vulnerability stems from the exposure of sensitive configuration data through the Server Config web interface. When Apache Kylin runs over HTTP or other plain text protocols, network sniffers can potentially intercept the HTTP payload and access the contents of kylin.properties file, including any credentials stored within. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact with network-based attack vector (NVD).

The primary impact of this vulnerability is the potential exposure of server-side credentials stored in the kylin.properties file. This could lead to unauthorized access to sensitive configuration data and credentials when the service runs over unencrypted protocols (OSS Security).

Several mitigation strategies are recommended: 1) Enable HTTPS to encrypt network payload, 2) Avoid storing credentials in kylin.properties, or at least not in plain text, 3) Implement network firewalls to protect the server side from external attackers, 4) Upgrade to Apache Kylin version 4.0.4, which filters out sensitive content from the Server Config web interface (OSS Security).