5.9

CVE-2019-0201

EPSS 0.29%
Veröffentlicht 23.05.2019 14:29:07
Zuletzt bearbeitet 21.11.2024 04:16:28
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 23

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Activemq Version5.15.9

Apache ≫ Drill Version1.16.0

Apache ≫ Zookeeper Version >= 1.0.0 <= 3.4.13

Apache ≫ Zookeeper Version3.5.0 Update-

Apache ≫ Zookeeper Version3.5.0 Updatealpha

Apache ≫ Zookeeper Version3.5.0 Updaterc0

Apache ≫ Zookeeper Version3.5.1 Update-

Apache ≫ Zookeeper Version3.5.1 Updatealpha

Apache ≫ Zookeeper Version3.5.1 Updaterc0

Apache ≫ Zookeeper Version3.5.1 Updaterc1

Apache ≫ Zookeeper Version3.5.1 Updaterc2

Apache ≫ Zookeeper Version3.5.1 Updaterc3

Apache ≫ Zookeeper Version3.5.1 Updaterc4

Apache ≫ Zookeeper Version3.5.2 Update-

Apache ≫ Zookeeper Version3.5.2 Updatealpha

Apache ≫ Zookeeper Version3.5.2 Updaterc0

Apache ≫ Zookeeper Version3.5.2 Updaterc1

Apache ≫ Zookeeper Version3.5.3 Update-

Apache ≫ Zookeeper Version3.5.3 Updatebeta

Apache ≫ Zookeeper Version3.5.3 Updaterc0

Apache ≫ Zookeeper Version3.5.3 Updaterc1

Apache ≫ Zookeeper Version3.5.4 Updatebeta

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Redhat ≫ Fuse Version1.0.0

Oracle ≫ Goldengate Stream Analytics Version < 19.1.0.0.1

Oracle ≫ Siebel Core - Server Framework Version <= 21.5

Oracle ≫ Timesten In-memory Database Version < 18.1.3.1.0

Netapp ≫ Hci Bootstrap Os Version-

Netapp ≫ Hci Compute Node Version-

Netapp ≫ Element Software Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.523

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

https://www.oracle.com/security-alerts/cpujul2020.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E

https://access.redhat.com/errata/RHSA-2019:3892

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3140

Third Party Advisory

http://www.securityfocus.com/bid/108427

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHSA-2019:4352

Third Party Advisory

https://issues.apache.org/jira/browse/ZOOKEEPER-1392

Patch

Vendor Advisory

Issue Tracking

https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E

https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html

Third Party Advisory

Mailing List

https://seclists.org/bugtraq/2019/Jun/13

Third Party Advisory

Mailing List

https://security.netapp.com/advisory/ntap-20190619-0001/

Third Party Advisory

https://www.debian.org/security/2019/dsa-4461

Third Party Advisory

https://zookeeper.apache.org/security.html#CVE-2019-0201

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-0201

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-0201

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-0201

EUVD