Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-20933

Опубликовано: 27 мар. 2019
Источник: redhat
CVSS3: 8.6

Описание

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

An authentication bypass vulnerability was found in InfluxDB. By default, when using JWT authentication, InfluxDB does not generate a signing secret or state in the documentation that a JWT secret must be generated. If InfluxDB is left in the default state, this flaw allows an attacker to generate their own JWT token and log into the InfluxDBinstance, potentially escalating privileges and gaining access to sensitive information.

Меры по смягчению последствий

For versions before 1.7.6, as per the documentation updated by influxdb, ensure that a default shared-secret has be defined when enabling JWT authentication: https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#1-add-a-shared-secret-in-your-influxdb-configuration-file Versions including the fix will return an error if the secret is left empty.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Distributed Tracing Jaeger 1jaeger-rhel8-operatorNot affected
OpenShift Service Mesh 1servicemesh-prometheusNot affected
OpenShift Service Mesh 2.0servicemesh-prometheusNot affected
Red Hat Advanced Cluster Management for Kubernetes 2influxdbNot affected
Red Hat Fuse 7camel-influxdbNot affected
Red Hat Fuse 7camel-influxdb-starterNot affected
Red Hat Fuse 7influxdb-javaNot affected
Red Hat Integration Camel K 1camel-influxdbNot affected
Red Hat Integration Camel K 1camel-quarkus-influxdb-deploymentNot affected
Red Hat Integration Camel K 1camel-quarkus-influxdb-integration-testNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-20->CWE-287
https://bugzilla.redhat.com/show_bug.cgi?id=1900078influxdb: authentication bypass because a JWT token may have an empty SharedSecret

8.6 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-20933

CVSS3: 9.8
ubuntu
около 5 лет назад

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

nvd логотип

CVE-2019-20933

CVSS3: 9.8
nvd
около 5 лет назад

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

debian логотип

CVE-2019-20933

CVSS3: 9.8
debian
около 5 лет назад

InfluxDB before 1.7.6 has an authentication bypass vulnerability in th ...

github логотип

GHSA-2rmp-fw5r-j5qv

CVSS3: 9.8
github
больше 4 лет назад

Improper Authentication in InfluxDB

fstec логотип

BDU:2021-01905

CVSS3: 9.8
fstec
почти 7 лет назад

Уязвимость функции authenticate компонента services/httpd/handler.go базы данных временных рядов InfluxDB, связанная с недостатками процедуры аутентификации, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

8.6 High

CVSS3