GHSA-535v-4x9q-446c

Source

https://github.com/advisories/GHSA-535v-4x9q-446c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-535v-4x9q-446c/GHSA-535v-4x9q-446c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-535v-4x9q-446c

Aliases

CVE-2019-0212

Published

2019-04-02T15:47:00Z

Modified

2023-11-08T04:00:31.478691Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper Authorization in org.apache.hbase:hbase

Details

In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T20:59:53Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-285"
    ]
}

References

Affected packages

Maven / org.apache.hbase:hbase

Package

Name: org.apache.hbase:hbase; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hbase/hbase

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.5

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

Maven / org.apache.hbase:hbase

Package

Name: org.apache.hbase:hbase; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hbase/hbase

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.4

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.1.3