Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2019-0201

Опубликовано: 23 мая 2019
Источник: ubuntu
Приоритет: low
EPSS Низкий
CVSS2: 4.3
CVSS3: 5.9

Описание

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

РелизСтатусПримечание
bionic

ignored

end of standard support, was needed
cosmic

ignored

end of life
devel

not-affected

3.4.13-3
disco

ignored

end of life
eoan

ignored

end of life
esm-apps/bionic

not-affected

3.4.13-3
esm-apps/focal

not-affected

3.4.13-3
esm-apps/jammy

not-affected

3.4.13-3
esm-apps/xenial

released

3.4.8-1ubuntu0.1~esm2
esm-infra-legacy/trusty

released

3.4.5+dfsg-1ubuntu0.1~esm3

Показывать по

Ссылки на источники

EPSS

Процентиль: 52%
0.00294
Низкий

4.3 Medium

CVSS2

5.9 Medium

CVSS3

Связанные уязвимости

redhat логотип

CVE-2019-0201

CVSS3: 7.5
redhat
больше 6 лет назад

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

nvd логотип

CVE-2019-0201

CVSS3: 5.9
nvd
больше 6 лет назад

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

debian логотип

CVE-2019-0201

CVSS3: 5.9
debian
больше 6 лет назад

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alph ...

github логотип

GHSA-2hw2-62cp-p9p7

CVSS3: 5.9
github
больше 6 лет назад

Access control bypass in Apache ZooKeeper

fstec логотип

BDU:2020-02563

CVSS3: 5.9
fstec
больше 6 лет назад

Уязвимость реализации команды getACL() централизованной службы для поддержки информации о конфигурации, именования, обеспечения распределенной синхронизации и предоставления групповых служб Apache ZooKeeper, позволяющая нарушителю раскрыть некоторые значения хеш-функции

EPSS

Процентиль: 52%
0.00294
Низкий

4.3 Medium

CVSS2

5.9 Medium

CVSS3