An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
|
History
07 Nov 2023, 03:01
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2019-05-23 14:29
Updated : 2024-02-28 17:08
NVD link : CVE-2019-0201
Mitre link : CVE-2019-0201
CVE.ORG link : CVE-2019-0201
JSON object : View
Products Affected
apache
- activemq
- zookeeper
- drill
oracle
- goldengate_stream_analytics
- timesten_in-memory_database
- siebel_core_-_server_framework
netapp
- hci_compute_node
- element_software
- hci_bootstrap_os
debian
- debian_linux
redhat
- fuse
CWE
CWE-862
Missing Authorization