CVE-2019-0212 — Improper Authorization in Apache Hbase

CWE-285 — Improper Authorization7 documents6 sources

Severity

7.5HIGHNVD

EPSS

4.0%

top 11.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hbase Apache Hbase

Timeline

PublishedMar 28

Latest updateApr 4

Description

In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/hbase2.0.0 — 2.0.4+1

▶CVEListV5apache/apache_hbase2.1.0-2.1.3, Apache HBase 2.0.0-2.0.4+1

🔴Vulnerability Details

OSV

Improper Authorization in org.apache.hbase:hbase↗2019-04-02

▶

GHSA

Improper Authorization in org.apache.hbase:hbase↗2019-04-02

▶

CVEList

CVE-2019-0212: In all previously released Apache HBase 2↗2019-03-28

▶

📋Vendor Advisories

Red Hat

hbase: Apache HBase REST Server incorrect user authorization↗2019-03-27

▶

💬Community

Bugzilla

CVE-2019-0212 hbase: Apache HBase REST Server incorrect user authorization↗2019-04-04

▶

Bugzilla

CVE-2018-11627 rubygem-sinatra: XSS in the 400 Bad Request page↗2018-06-01

▶