CVE-2019-0201

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-0201

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-0201.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-0201

Aliases

GHSA-2hw2-62cp-p9p7

Related

Published

2019-05-23T14:29:07Z

Modified

2024-09-18T01:00:22Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

References

Affected packages

Debian:11 / zookeeper

Package

Name: zookeeper
Purl: pkg:deb/debian/zookeeper?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / zookeeper

Package

Name: zookeeper
Purl: pkg:deb/debian/zookeeper?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / zookeeper

Package

Name: zookeeper
Purl: pkg:deb/debian/zookeeper?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.13-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}