CVE-2019-10084

CWE-311 CWE-330 CWE-384 CWE-532 — Log File Information Exposure CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

7.5HIGH

EPSS

0.1%

top 73.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Impala Apache Software Foundation Impala

Timeline

PublishedNov 5

Latest updateMay 24

Description

In Apache Impala 2.7.0 to 3.2.0, an authenticated user with access to the IDs of active Impala queries or sessions can interact with those sessions or queries via a specially-constructed request and thereby potentially bypass authorization and audit mechanisms. Session and query IDs are unique and random, but have not been documented or consistently treated as sensitive secrets. Therefore they may be exposed in logs or interfaces. They were also not generated with a cryptographically secure rand…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/impala2.7.0 — 3.2.0

▶CVEListV5apache_software_foundation/impala2.7.0 to 3.2.0

🔴Vulnerability Details

GHSA

GHSA-2552-7vjw-33qv: In Apache Impala 2↗2022-05-24

▶

CVEList

CVE-2019-10084: In Apache Impala 2↗2019-11-05

▶