CVE-2019-0201: An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves…

medium5.9CVSS 3.1

AVNACHPRNUINSUCHINAN

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Affected

26 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	activemq	—	—
apache	drill	—	—
apache	zookeeper	—	—
apache	zookeeper	—	—
apache	zookeeper	—	—
apache	zookeeper	—	—
apache	zookeeper	—	—
apache	zookeeper	>= 0 < 3.4.13-2	3.4.13-2
apache	zookeeper	>= 0 < 3.4.13-2	3.4.13-2
apache	zookeeper	>= 0 < 3.4.13-2	3.4.13-2
apache	zookeeper	>= 0 < 3.4.13-2	3.4.13-2
apache	zookeeper	>= 0 < 3.4.13-5ubuntu0.1	3.4.13-5ubuntu0.1
apache	zookeeper	>= 0 < 3.4.13-6ubuntu4.1	3.4.13-6ubuntu4.1
apache	zookeeper	>= 0 < 3.4.5+dfsg-1ubuntu0.1~esm3	3.4.5+dfsg-1ubuntu0.1~esm3
apache	zookeeper	>= 0 < 3.4.8-1ubuntu0.1~esm2	3.4.8-1ubuntu0.1~esm2
apache	zookeeper	>= 0 < 3.4.13-3ubuntu0.1~esm1	3.4.13-3ubuntu0.1~esm1
apache	zookeeper	1.0.0 – 3.4.13	—
apache_software_foundation	apache_zookeeper	—	—
apache_software_foundation	apache_zookeeper	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	zookeeper	< zookeeper 3.4.13-2 (bookworm)	zookeeper 3.4.13-2 (bookworm)
oracle	goldengate_stream_analytics	< 19.1.0.0.1	19.1.0.0.1
oracle	siebel_core_server_framework	<= 21.5	—
oracle	timesten_in-memory_database	< 18.1.3.1.0	18.1.3.1.0

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

osv5.9MEDIUM