CVE-2019-20933
published 2020-11-19CVE-2019-20933: InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
30.92%
98.0th percentile
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | influxdb | < influxdb 1.6.7~rc0-1 (bookworm) | influxdb 1.6.7~rc0-1 (bookworm) |
| github.com | influxdata_influxdb | >= 0 < 1.7.6 | 1.7.6 |
| influxdata | influxdb | < 1.7.6 | 1.7.6 |
| influxdata | influxdb | >= 0 < 1.6.7~rc0-1 | 1.6.7~rc0-1 |
| influxdata | influxdb | >= 0 < 1.6.7~rc0-1 | 1.6.7~rc0-1 |
| influxdata | influxdb | >= 0 < 1.6.7~rc0-1 | 1.6.7~rc0-1 |
| influxdata | influxdb | >= 0 < 1.6.7~rc0-1 | 1.6.7~rc0-1 |
Detection & IOCsextracted from sources · hover to see the quote
url/query?db=db&q=SHOW%20DATABASES
- →Send a GET request to /query?db=db&q=SHOW%20DATABASES with a JWT token bearing an empty shared secret; a vulnerable InfluxDB instance will respond HTTP 200 with body containing both '"results":' and '"name":"databases"'.
- →Shodan queries to identify exposed InfluxDB instances: search for 'InfluxDB', 'influxdb', or http.title:"influxdb - admin interface".
- →FOFA query to identify exposed InfluxDB admin interfaces: title="influxdb - admin interface".
- →Google dork to identify exposed InfluxDB admin interfaces: intitle:"influxdb - admin interface".
- →The vulnerability is exploitable when JWT authentication is enabled but no shared secret is configured (empty SharedSecret). Detect by attempting authentication with a self-signed JWT token with an empty secret against the InfluxDB HTTP API. ↗
- ·The authentication bypass only applies when JWT authentication is enabled AND the shared-secret configuration value is left empty (default state). Instances with a properly configured shared secret are not vulnerable. ↗
- ·Fixed in InfluxDB 1.7.6; versions including the fix will return an error if the secret is left empty. Debian fixed in package version 1.6.7~rc0-1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Authentication in InfluxDB in github.com/influxdata/influxdb
osv·2024-08-21
CVE-2019-20933 Improper Authentication in InfluxDB in github.com/influxdata/influxdb
Improper Authentication in InfluxDB in github.com/influxdata/influxdb
Improper Authentication in InfluxDB in github.com/influxdata/influxdb
OSV
Improper Authentication in InfluxDB
osv·2021-05-18
CVE-2019-20933 [CRITICAL] Improper Authentication in InfluxDB
Improper Authentication in InfluxDB
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in `services/httpd/handler.go` because a JWT token may have an empty SharedSecret (aka shared secret).
GHSA
Improper Authentication in InfluxDB
ghsa·2021-05-18
CVE-2019-20933 [CRITICAL] CWE-287 Improper Authentication in InfluxDB
Improper Authentication in InfluxDB
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in `services/httpd/handler.go` because a JWT token may have an empty SharedSecret (aka shared secret).
OSV
CVE-2019-20933: InfluxDB before 1
osv·2020-11-19·CVSS 9.8
CVE-2019-20933 [CRITICAL] CVE-2019-20933: InfluxDB before 1
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
VulnCheck
influxdata influxdb Improper Authentication
vulncheck·2019·CVSS 9.8
CVE-2019-20933 [CRITICAL] influxdata influxdb Improper Authentication
influxdata influxdb Improper Authentication
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
Affected: influxdata influxdb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-2019-20933; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-21&host_type=src&vulnerability=cve-2019-20933; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=20
Ubuntu
InfluxDB vulnerability
vendor_ubuntu·2022-05-31
CVE-2019-20933 InfluxDB vulnerability
Title: InfluxDB vulnerability
Summary: An InfluxDB vulnerability allowed attackers to login as any known
database user.
Ilya Averyanov discovered that an InfluxDB vulnerability allowed
attackers to bypass authentication and gain access to any known
database user.
Instructions: After a standard system update you need to restart the influxdb
service to make all the necessary changes.
Red Hat
influxdb: authentication bypass because a JWT token may have an empty SharedSecret
vendor_redhat·2019-03-27·CVSS 9.8
CVE-2019-20933 [CRITICAL] CWE-20 influxdb: authentication bypass because a JWT token may have an empty SharedSecret
influxdb: authentication bypass because a JWT token may have an empty SharedSecret
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
An authentication bypass vulnerability was found in InfluxDB. By default, when using JWT authentication, InfluxDB does not generate a signing secret or state in the documentation that a JWT secret must be generated. If InfluxDB is left in the default state, this flaw allows an attacker to generate their own JWT token and log into the InfluxDBinstance, potentially escalating privileges and gaining access to sensitive information.
Mitigation: For versions before 1.7.6, as per the documentation updated by influxdb, e
Debian
CVE-2019-20933: influxdb - InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenti...
vendor_debian·2019·CVSS 9.8
CVE-2019-20933 [CRITICAL] CVE-2019-20933: influxdb - InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenti...
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
Scope: local
bookworm: resolved (fixed in 1.6.7~rc0-1)
bullseye: resolved (fixed in 1.6.7~rc0-1)
forky: resolved (fixed in 1.6.7~rc0-1)
sid: resolved (fixed in 1.6.7~rc0-1)
trixie: resolved (fixed in 1.6.7~rc0-1)
No detection rules found.
Nuclei
InfluxDB <1.7.6 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2019-20933 [CRITICAL] InfluxDB <1.7.6 - Authentication Bypass
InfluxDB <1.7.6 - Authentication Bypass
InfluxDB before 1.7.6 contains an authentication bypass vulnerability via the authenticate function in services/httpd/handler.go. A JWT token may have an empty SharedSecret (aka shared secret). An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2019-20933
info:
name: InfluxDB <1.7.6 - Authentication Bypass
author: pussycat0x,c-sh0
severity: critical
description: InfluxDB before 1.7.6 contains an authentication bypass vulnerability via the authenticate function in services/httpd/handler.go. A JWT token may have an empty SharedSecret (aka shared secret). An attacker can possibly obtain sensitive information, modify data, and
https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6https://github.com/influxdata/influxdb/issues/12927https://lists.debian.org/debian-lts-announce/2020/12/msg00030.htmlhttps://www.debian.org/security/2021/dsa-4823https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6https://github.com/influxdata/influxdb/issues/12927https://lists.debian.org/debian-lts-announce/2020/12/msg00030.htmlhttps://www.debian.org/security/2021/dsa-4823
2020-11-19
Published
Exploited in the wild