CVE-2019-0201
moderate-risk
Published 2019-05-23
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Do I need to act?
-
0.21% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
Drill
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
Zookeeper
References (40)
Third Party Advisory
http://www.securityfocus.com/bid/108427
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3140
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4352
Issue Tracking
https://issues.apache.org/jira/browse/ZOOKEEPER-1392
Mailing List
https://seclists.org/bugtraq/2019/Jun/13
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190619-0001/
Third Party Advisory
https://www.debian.org/security/2019/dsa-4461
Vendor Advisory
https://zookeeper.apache.org/security.html#CVE-2019-0201
and 20 more references
41
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
22/34 · High