// For flags

CVE-2019-0201

zookeeper: Information disclosure in Apache ZooKeeper

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Hay un problema presente en Apache ZooKeeper 1.0.0 a 3.4.13 y 3.5.0-alpha a 3.5.4-beta. El comando getACL () de ZooKeeper no verifica ningún permiso cuando recupera las ACL del nodo solicitado y devuelve toda la información contenida en el campo Id. De ACL como cadena de texto sin formato. DigestAuthenticationProvider sobrecarga el campo Id con el valor hash que se utiliza para la autenticación del usuario. Como consecuencia, si la autenticación implícita está en uso, el valor hash sin sal será revelado por la solicitud getACL () para usuarios no autenticados o no privilegiados.

A flaw was found in Apache ZooKeeper. A lack of permission checks while retrieving ACLs allows unsalted hash values to be disclosed for unauthenticated or unprivileged users.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-11-14 CVE Reserved
  • 2019-05-23 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-10-13 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-732: Incorrect Permission Assignment for Critical Resource
  • CWE-862: Missing Authorization
CAPEC
References (22)
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Netapp
Search vendor "Netapp"
Hci Bootstrap Os
Search vendor "Netapp" for product "Hci Bootstrap Os"
--
Affected
in Netapp
Search vendor "Netapp"
Hci Compute Node
Search vendor "Netapp" for product "Hci Compute Node"
--
Safe
Apache
Search vendor "Apache"
Activemq
Search vendor "Apache" for product "Activemq"
5.15.9
Search vendor "Apache" for product "Activemq" and version "5.15.9"
-
Affected
Apache
Search vendor "Apache"
Drill
Search vendor "Apache" for product "Drill"
1.16.0
Search vendor "Apache" for product "Drill" and version "1.16.0"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
>= 1.0.0 <= 3.4.13
Search vendor "Apache" for product "Zookeeper" and version " >= 1.0.0 <= 3.4.13"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.0
Search vendor "Apache" for product "Zookeeper" and version "3.5.0"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.0
Search vendor "Apache" for product "Zookeeper" and version "3.5.0"
alpha
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.0
Search vendor "Apache" for product "Zookeeper" and version "3.5.0"
rc0
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.1
Search vendor "Apache" for product "Zookeeper" and version "3.5.1"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.1
Search vendor "Apache" for product "Zookeeper" and version "3.5.1"
alpha
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.1
Search vendor "Apache" for product "Zookeeper" and version "3.5.1"
rc0
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.1
Search vendor "Apache" for product "Zookeeper" and version "3.5.1"
rc1
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.1
Search vendor "Apache" for product "Zookeeper" and version "3.5.1"
rc2
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.1
Search vendor "Apache" for product "Zookeeper" and version "3.5.1"
rc3
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.1
Search vendor "Apache" for product "Zookeeper" and version "3.5.1"
rc4
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.2
Search vendor "Apache" for product "Zookeeper" and version "3.5.2"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.2
Search vendor "Apache" for product "Zookeeper" and version "3.5.2"
alpha
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.2
Search vendor "Apache" for product "Zookeeper" and version "3.5.2"
rc0
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.2
Search vendor "Apache" for product "Zookeeper" and version "3.5.2"
rc1
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.3
Search vendor "Apache" for product "Zookeeper" and version "3.5.3"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.3
Search vendor "Apache" for product "Zookeeper" and version "3.5.3"
beta
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.3
Search vendor "Apache" for product "Zookeeper" and version "3.5.3"
rc0
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.3
Search vendor "Apache" for product "Zookeeper" and version "3.5.3"
rc1
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.4
Search vendor "Apache" for product "Zookeeper" and version "3.5.4"
beta
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Redhat
Search vendor "Redhat"
Fuse
Search vendor "Redhat" for product "Fuse"
1.0.0
Search vendor "Redhat" for product "Fuse" and version "1.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Goldengate Stream Analytics
Search vendor "Oracle" for product "Goldengate Stream Analytics"
< 19.1.0.0.1
Search vendor "Oracle" for product "Goldengate Stream Analytics" and version " < 19.1.0.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Siebel Core - Server Framework
Search vendor "Oracle" for product "Siebel Core - Server Framework"
<= 21.5
Search vendor "Oracle" for product "Siebel Core - Server Framework" and version " <= 21.5"
-
Affected
Oracle
Search vendor "Oracle"
Timesten In-memory Database
Search vendor "Oracle" for product "Timesten In-memory Database"
< 18.1.3.1.0
Search vendor "Oracle" for product "Timesten In-memory Database" and version " < 18.1.3.1.0"
-
Affected
Netapp
Search vendor "Netapp"
Element Software
Search vendor "Netapp" for product "Element Software"
--
Affected