CVE-2019-0201
zookeeper: Information disclosure in Apache ZooKeeper
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Hay un problema presente en Apache ZooKeeper 1.0.0 a 3.4.13 y 3.5.0-alpha a 3.5.4-beta. El comando getACL () de ZooKeeper no verifica ningún permiso cuando recupera las ACL del nodo solicitado y devuelve toda la información contenida en el campo Id. De ACL como cadena de texto sin formato. DigestAuthenticationProvider sobrecarga el campo Id con el valor hash que se utiliza para la autenticación del usuario. Como consecuencia, si la autenticación implícita está en uso, el valor hash sin sal será revelado por la solicitud getACL () para usuarios no autenticados o no privilegiados.
A flaw was found in Apache ZooKeeper. A lack of permission checks while retrieving ACLs allows unsalted hash values to be disclosed for unauthenticated or unprivileged users.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-11-14 CVE Reserved
- 2019-05-23 CVE Published
- 2024-08-04 CVE Updated
- 2024-10-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-732: Incorrect Permission Assignment for Critical Resource
- CWE-862: Missing Authorization
CAPEC
References (22)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://issues.apache.org/jira/browse/ZOOKEEPER-1392 | 2023-11-07 | |
https://www.oracle.com//security-alerts/cpujul2021.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpujul2020.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuoct2020.html | 2023-11-07 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:3140 | 2023-11-07 | |
https://access.redhat.com/errata/RHSA-2019:3892 | 2023-11-07 | |
https://access.redhat.com/errata/RHSA-2019:4352 | 2023-11-07 | |
https://www.debian.org/security/2019/dsa-4461 | 2023-11-07 | |
https://zookeeper.apache.org/security.html#CVE-2019-0201 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2019-0201 | 2019-12-19 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1715197 | 2019-12-19 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Netapp Search vendor "Netapp" | Hci Bootstrap Os Search vendor "Netapp" for product "Hci Bootstrap Os" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | Hci Compute Node Search vendor "Netapp" for product "Hci Compute Node" | - | - |
Safe
|
Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.15.9 Search vendor "Apache" for product "Activemq" and version "5.15.9" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Drill Search vendor "Apache" for product "Drill" | 1.16.0 Search vendor "Apache" for product "Drill" and version "1.16.0" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | >= 1.0.0 <= 3.4.13 Search vendor "Apache" for product "Zookeeper" and version " >= 1.0.0 <= 3.4.13" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.0 Search vendor "Apache" for product "Zookeeper" and version "3.5.0" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.0 Search vendor "Apache" for product "Zookeeper" and version "3.5.0" | alpha |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.0 Search vendor "Apache" for product "Zookeeper" and version "3.5.0" | rc0 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.1 Search vendor "Apache" for product "Zookeeper" and version "3.5.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.1 Search vendor "Apache" for product "Zookeeper" and version "3.5.1" | alpha |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.1 Search vendor "Apache" for product "Zookeeper" and version "3.5.1" | rc0 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.1 Search vendor "Apache" for product "Zookeeper" and version "3.5.1" | rc1 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.1 Search vendor "Apache" for product "Zookeeper" and version "3.5.1" | rc2 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.1 Search vendor "Apache" for product "Zookeeper" and version "3.5.1" | rc3 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.1 Search vendor "Apache" for product "Zookeeper" and version "3.5.1" | rc4 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.2 Search vendor "Apache" for product "Zookeeper" and version "3.5.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.2 Search vendor "Apache" for product "Zookeeper" and version "3.5.2" | alpha |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.2 Search vendor "Apache" for product "Zookeeper" and version "3.5.2" | rc0 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.2 Search vendor "Apache" for product "Zookeeper" and version "3.5.2" | rc1 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.3 Search vendor "Apache" for product "Zookeeper" and version "3.5.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.3 Search vendor "Apache" for product "Zookeeper" and version "3.5.3" | beta |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.3 Search vendor "Apache" for product "Zookeeper" and version "3.5.3" | rc0 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.3 Search vendor "Apache" for product "Zookeeper" and version "3.5.3" | rc1 |
Affected
| ||||||
Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.4 Search vendor "Apache" for product "Zookeeper" and version "3.5.4" | beta |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Fuse Search vendor "Redhat" for product "Fuse" | 1.0.0 Search vendor "Redhat" for product "Fuse" and version "1.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Goldengate Stream Analytics Search vendor "Oracle" for product "Goldengate Stream Analytics" | < 19.1.0.0.1 Search vendor "Oracle" for product "Goldengate Stream Analytics" and version " < 19.1.0.0.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Siebel Core - Server Framework Search vendor "Oracle" for product "Siebel Core - Server Framework" | <= 21.5 Search vendor "Oracle" for product "Siebel Core - Server Framework" and version " <= 21.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Timesten In-memory Database Search vendor "Oracle" for product "Timesten In-memory Database" | < 18.1.3.1.0 Search vendor "Oracle" for product "Timesten In-memory Database" and version " < 18.1.3.1.0" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Element Software Search vendor "Netapp" for product "Element Software" | - | - |
Affected
|