Access Control Vulnerability in Apache ZooKeeper by Apache Software Foundation
CVE-2019-0201

5.9MEDIUM

Key Information:

Vendor
Apache
Status
Apache Zookeeper
Vendor
CVE Published:
23 May 2019

Summary

An access control issue has been identified in Apache ZooKeeper versions 1.0.0 through 3.4.13 and from 3.5.0-alpha to 3.5.4-beta. The vulnerability allows the getACL() command to be executed without verifying permissions, inadvertently revealing the ACLs in a plaintext format. Specifically, this flaw affects the Id field in the DigestAuthenticationProvider, which uses unsalted hash values for user authentication. As a result, unauthenticated or unprivileged users may gain access to sensitive authentication data, leading to potential security breaches.

Affected Version(s)

Apache ZooKeeper 1.0.0 to 3.4.13

Apache ZooKeeper 3.5.0-alpha to 3.5.4-beta

References

http://www.securityfocus.com/bid/108427
vdb-entryx_refsource_BID
https://lists.debian.org/debian-lts-announce/2019/05/msg0...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/f6112882e30a31992a79...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.