Apache Accumulo Improper Handling of Insufficient Permissions
CVE-2020-17533

8.1HIGH

Key Information:

Vendor
Apache
Status
Apache Accumulo
Vendor
CVE Published:
29 December 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the 'canFlush' and 'canPerformSystemActions' security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide Accumulo configuration properties.

Affected Version(s)

Apache Accumulo Apache Accumulo 2.0.0

Apache Accumulo 1.5.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-17533
Created by pazeray

References

https://lists.apache.org/thread.html/rf8c1a787b6951d3dacb...
x_refsource_MISC
https://lists.apache.org/thread.html/rf8c1a787b6951d3dacb...
mailing-listx_refsource_MLIST
http://www.openwall.com/lists/oss-security/2020/12/29/1
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability Reserved

.