An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
|
History
19 Apr 2022, 15:35
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:siebel_core_-_server_framework:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:* cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:* cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:* cpe:2.3:a:apache:activemq:5.15.9:*:*:*:*:*:*:* |
|
References |
|
|
References | (MLIST) https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujul2020.html - Patch, Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2019:3140 - Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20190619-0001/ - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html - Mailing List, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2019/dsa-4461 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Patch, Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2019:3892 - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2019:4352 - Third Party Advisory | |
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E - Mailing List, Vendor Advisory | |
References | (BUGTRAQ) https://seclists.org/bugtraq/2019/Jun/13 - Mailing List, Third Party Advisory |
16 Aug 2021, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2019-05-23 14:29
Updated : 2024-02-04 20:20
NVD link : CVE-2019-0201
Mitre link : CVE-2019-0201
CVE.ORG link : CVE-2019-0201
JSON object : View
Products Affected
netapp
- hci_bootstrap_os
- element_software
- hci_compute_node
debian
- debian_linux
redhat
- fuse
oracle
- timesten_in-memory_database
- siebel_core_-_server_framework
- goldengate_stream_analytics
apache
- drill
- activemq
- zookeeper
CWE
CWE-862
Missing Authorization