CVE-2019-0201

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
References
Link Resource
http://www.securityfocus.com/bid/108427 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:3140 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4352 Third Party Advisory
https://issues.apache.org/jira/browse/ZOOKEEPER-1392 Issue Tracking Patch Vendor Advisory
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/13 Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20190619-0001/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4461 Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch Third Party Advisory
https://zookeeper.apache.org/security.html#CVE-2019-0201 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:activemq:5.15.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.0:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.0:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.1:-:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.1:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.1:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.1:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.1:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.1:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.1:rc4:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.2:-:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.2:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.2:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.2:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.3:-:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.3:beta:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.3:rc0:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.3:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.4:beta:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_core_-_server_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*

History

19 Apr 2022, 15:35

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:siebel_core_-_server_framework:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*
cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:5.15.9:*:*:*:*:*:*:*
References
  • (MLIST) https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E - Mailing List, Vendor Advisory
References (MLIST) https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E - Mailing List, Patch, Vendor Advisory
References (MISC) https://www.oracle.com/security-alerts/cpujul2020.html - (MISC) https://www.oracle.com/security-alerts/cpujul2020.html - Patch, Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2019:3140 - (REDHAT) https://access.redhat.com/errata/RHSA-2019:3140 - Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20190619-0001/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20190619-0001/ - Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E - Mailing List, Vendor Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html - Third Party Advisory (MLIST) https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html - Mailing List, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2019/dsa-4461 - (DEBIAN) https://www.debian.org/security/2019/dsa-4461 - Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E - Mailing List, Vendor Advisory
References (MLIST) https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E - Mailing List, Vendor Advisory
References (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Patch, Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2019:3892 - (REDHAT) https://access.redhat.com/errata/RHSA-2019:3892 - Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2019:4352 - (REDHAT) https://access.redhat.com/errata/RHSA-2019:4352 - Third Party Advisory
References (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E - Mailing List, Vendor Advisory
References (MLIST) https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E - Mailing List, Vendor Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Jun/13 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Jun/13 - Mailing List, Third Party Advisory

16 Aug 2021, 13:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

Information

Published : 2019-05-23 14:29

Updated : 2024-02-04 20:20


NVD link : CVE-2019-0201

Mitre link : CVE-2019-0201

CVE.ORG link : CVE-2019-0201


JSON object : View

Products Affected

netapp

  • hci_bootstrap_os
  • element_software
  • hci_compute_node

debian

  • debian_linux

redhat

  • fuse

oracle

  • timesten_in-memory_database
  • siebel_core_-_server_framework
  • goldengate_stream_analytics

apache

  • drill
  • activemq
  • zookeeper
CWE
CWE-862

Missing Authorization