CVE-2019-0201
- Source
- https://cve.org/CVERecord?id=CVE-2019-0201
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-0201.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-0201
- Aliases
- Downstream
- Related
- Published
- 2019-05-23T14:29:07.517Z
- Modified
- 2026-03-15T22:21:11.186454Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
- References
-
- https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- http://www.securityfocus.com/bid/108427
- https://access.redhat.com/errata/RHSA-2019:3892
- https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html
- https://www.debian.org/security/2019/dsa-4461
- https://zookeeper.apache.org/security.html#CVE-2019-0201
- https://seclists.org/bugtraq/2019/Jun/13
- https://access.redhat.com/errata/RHSA-2019:3140
- https://access.redhat.com/errata/RHSA-2019:4352
- https://security.netapp.com/advisory/ntap-20190619-0001/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://issues.apache.org/jira/browse/ZOOKEEPER-1392
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
Affected packages
Git / github.com/apache/activemq
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/activemq
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "5.15.9" } ] }
- Type
- GIT
- Repo
- https://github.com/apache/zookeeper
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "3.5.0-rc0" }, { "introduced": "0" }, { "last_affected": "3.5.1-NA" }, { "introduced": "0" }, { "last_affected": "3.5.1-rc0" }, { "introduced": "0" }, { "last_affected": "3.5.1-rc1" }, { "introduced": "0" }, { "last_affected": "3.5.1-rc2" }, { "introduced": "0" }, { "last_affected": "3.5.1-rc3" }, { "introduced": "0" }, { "last_affected": "3.5.1-rc4" }, { "introduced": "0" }, { "last_affected": "3.5.2-NA" }, { "introduced": "0" }, { "last_affected": "3.5.2-rc0" }, { "introduced": "0" }, { "last_affected": "3.5.2-rc1" }, { "introduced": "0" }, { "last_affected": "3.5.3-NA" }, { "introduced": "0" }, { "last_affected": "3.5.3-rc0" }, { "introduced": "0" }, { "last_affected": "3.5.3-rc1" } ] }
Affected versions
activemq-5.*
activemq-5.10.0
activemq-5.11.0
activemq-5.12.0
activemq-5.13.0
activemq-5.14.0
activemq-5.15.0
activemq-5.15.1
activemq-5.15.2
activemq-5.15.3
activemq-5.15.4
activemq-5.15.5
activemq-5.15.6
activemq-5.15.7
activemq-5.15.8
activemq-5.15.9
activemq-5.9.0
Other
before_interruptible
debian_version_0_95-1
debian_version_1_0-1
fuse_0_9
fuse_0_95
fuse_1_1
fuse_1_1_pre2
fuse_1_9
fuse_2_2
fuse_2_2_pre1
fuse_2_2_pre4
fuse_2_2_pre5
fuse_2_2_pre6
fuse_2_3_0
fuse_2_3_pre1
fuse_2_3_pre2
fuse_2_3_pre3
fuse_2_3_pre4
fuse_2_3_pre5
fuse_2_3_pre6
fuse_2_3_pre7
fuse_2_3_rc1
fuse_2_4_0
fuse_2_4_0_pre2
fuse_2_4_0_rc1
fuse_2_4_1
fuse_2_5_0
fuse_2_5_0_pre1
fuse_2_5_0_pre2
fuse_2_6_0
fuse_2_6_0_pre1
fuse_2_6_0_pre2
fuse_2_6_0_pre3
fuse_2_6_0_rc1
fuse_2_6_0_rc2
fuse_2_6_0_rc3
fuse_2_6_1
fuse_2_7_0
fuse_2_7_0_rc1
fuse_2_7_1
fuse_2_7_2
fuse_2_7_2_before_indent
fuse_2_8_0
fuse_2_8_0_pre2
fuse_2_8_1
fuse_2_8_2
fuse_2_8_3
fuse_2_8_4
fuse_2_8_start
fuse_2_9_0
fuse_2_9_1
fuse_2_9_2
fuse_2_9_3
fuse_2_9_start
fuse_3_0_start
start
fuse-3.*
fuse-3.0.0
fuse-3.0.0pre0
fuse-3.0.0rc1
fuse-3.0.0rc2
fuse-3.0.0rc3
fuse-3.0.1
fuse-3.0.2
fuse-3.1.0
fuse-3.1.1
fuse-3.2.0
fuse-3.2.1
fuse-3.2.2
fuse-3.2.3
fuse-3.2.4
fuse-3.2.5
fuse-3.2.6
fuse-3.3.0
fuse-3.4.2
fuse-3.5.0
release-3.*
release-3.5.3
release-3.5.3-rc0
release-3.5.3-rc1
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.16.0"
}
]
},
{
"events": [
{
"introduced": "1.0.0"
},
{
"last_affected": "3.4.13"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.5.0-alpha"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.5.1-alpha"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.5.2-alpha"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.5.3-beta"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.5.4-beta"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "19.1.0.0.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "21.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.3.1.0"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-0201.json"