{"schema_version": "1.6.1", "id": "CVE-2021-27738", "summary": "Improper Access Control to Streaming Coordinator & SSRF", "details": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.\n\nFor endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved.\n\nThis issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Kylin 3"}, {"fixed": "3.1.2"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"}]}