CVE-2019-0201
Severity
5.9MEDIUM
EPSS
0.2%
top 56.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 23
Latest updateJan 16
Description
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for …
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6
Affected Packages11 packages
Also affects: Debian Linux 8.0, 9.0