Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2019-0201

Опубликовано: 23 мая 2019
Источник: ubuntu
Приоритет: low
EPSS Низкий
CVSS2: 4.3
CVSS3: 5.9

Описание

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

РелизСтатусПримечание
bionic

ignored

end of standard support, was needed
cosmic

ignored

end of life
devel

not-affected

3.4.13-3
disco

ignored

end of life
eoan

ignored

end of life
esm-apps/bionic

not-affected

3.4.13-3
esm-apps/focal

not-affected

3.4.13-3
esm-apps/jammy

not-affected

3.4.13-3
esm-apps/xenial

released

3.4.8-1ubuntu0.1~esm2
esm-infra-legacy/trusty

not-affected

3.4.5+dfsg-1ubuntu0.1~esm3

Показывать по

Ссылки на источники

EPSS

Процентиль: 47%
0.00237
Низкий

4.3 Medium

CVSS2

5.9 Medium

CVSS3

Связанные уязвимости

redhat логотип

CVE-2019-0201

CVSS3: 7.5
redhat
около 6 лет назад

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

nvd логотип

CVE-2019-0201

CVSS3: 5.9
nvd
около 6 лет назад

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

debian логотип

CVE-2019-0201

CVSS3: 5.9
debian
около 6 лет назад

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alph ...

github логотип

GHSA-2hw2-62cp-p9p7

CVSS3: 5.9
github
около 6 лет назад

Access control bypass in Apache ZooKeeper

fstec логотип

BDU:2020-02563

CVSS3: 5.9
fstec
около 6 лет назад

Уязвимость реализации команды getACL() централизованной службы для поддержки информации о конфигурации, именования, обеспечения распределенной синхронизации и предоставления групповых служб Apache ZooKeeper, позволяющая нарушителю раскрыть некоторые значения хеш-функции

EPSS

Процентиль: 47%
0.00237
Низкий

4.3 Medium

CVSS2

5.9 Medium

CVSS3