CVE-2019-0201 Information

Feb 14, 2021 cve

Description

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence if Digest Authentication is in use the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://www.securityfocus.com/bid/108427 https://access.redhat.com/errata/RHSA-2019:3140 https://access.redhat.com/errata/RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:4352 https://issues.apache.org/jira/browse/ZOOKEEPER-1392 https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@3Cissues.activemq.apache.org3E https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@3Cdev.drill.apache.org3E https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@3Ccommits.accumulo.apache.org3E https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@3Cdev.drill.apache.org3E https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@3Cissues.bookkeeper.apache.org3E https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@3Cissues.drill.apache.org3E https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html https://seclists.org/bugtraq/2019/Jun/13 https://security.netapp.com/advisory/ntap-20190619-0001/ https://www.debian.org/security/2019/dsa-4461 https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://zookeeper.apache.org/security.htmlCVE-2019-0201

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.9

Share on: