1. Home
  2. Vulnerabilities
  3. CVE-2019-0201

CVE-2019-0201

CVSS v3.1 5.9 (Medium)
59% Progress
CVSS v2.0 4.3 (Medium)
43% Progress
EPSS 0.09 % (40th)
0.09% Progress
Affected Products 11
Advisories 5
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Weaknesses
CWE-862
Missing Authorization
CVE Status
PUBLISHED
CNA
Apache Software Foundation
Published Date
2019-05-23 14:29:07
(5 years ago)
Updated Date
2023-11-07 03:01:48
(10 months ago)

Affected Products

Apache

Debian

Netapp

Oracle

Redhat

Configuration #1

    CPE23 From Up To
  Apache Activemq 5.15.9 cpe:2.3:a:apache:activemq:5.15.9
  Apache Drill 1.16.0 cpe:2.3:a:apache:drill:1.16.0
  Apache Zookeeper from 1.0.0 version and 3.4.13 and prior versions cpe:2.3:a:apache:zookeeper >= 1.0.0 <= 3.4.13
  Apache Zookeeper 3.5.0 cpe:2.3:a:apache:zookeeper:3.5.0:-
  Apache Zookeeper 3.5.0 Alpha cpe:2.3:a:apache:zookeeper:3.5.0:alpha
  Apache Zookeeper 3.5.0 Rc0 cpe:2.3:a:apache:zookeeper:3.5.0:rc0
  Apache Zookeeper 3.5.1 cpe:2.3:a:apache:zookeeper:3.5.1:-
  Apache Zookeeper 3.5.1 Alpha cpe:2.3:a:apache:zookeeper:3.5.1:alpha
  Apache Zookeeper 3.5.1 Rc0 cpe:2.3:a:apache:zookeeper:3.5.1:rc0
  Apache Zookeeper 3.5.1 Rc1 cpe:2.3:a:apache:zookeeper:3.5.1:rc1
  Apache Zookeeper 3.5.1 Rc2 cpe:2.3:a:apache:zookeeper:3.5.1:rc2
  Apache Zookeeper 3.5.1 Rc3 cpe:2.3:a:apache:zookeeper:3.5.1:rc3
  Apache Zookeeper 3.5.1 Rc4 cpe:2.3:a:apache:zookeeper:3.5.1:rc4
  Apache Zookeeper 3.5.2 cpe:2.3:a:apache:zookeeper:3.5.2:-
  Apache Zookeeper 3.5.2 Alpha cpe:2.3:a:apache:zookeeper:3.5.2:alpha
  Apache Zookeeper 3.5.2 Rc0 cpe:2.3:a:apache:zookeeper:3.5.2:rc0
  Apache Zookeeper 3.5.2 Rc1 cpe:2.3:a:apache:zookeeper:3.5.2:rc1
  Apache Zookeeper 3.5.3 cpe:2.3:a:apache:zookeeper:3.5.3:-
  Apache Zookeeper 3.5.3 Beta cpe:2.3:a:apache:zookeeper:3.5.3:beta
  Apache Zookeeper 3.5.3 Rc0 cpe:2.3:a:apache:zookeeper:3.5.3:rc0
  Apache Zookeeper 3.5.3 Rc1 cpe:2.3:a:apache:zookeeper:3.5.3:rc1
  Apache Zookeeper 3.5.4 Beta cpe:2.3:a:apache:zookeeper:3.5.4:beta

Configuration #2

    CPE23 From Up To
  Debian Linux 8.0 cpe:2.3:o:debian:debian_linux:8.0
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0

Configuration #3

    CPE23 From Up To
  Redhat Fuse 1.0.0 cpe:2.3:a:redhat:fuse:1.0.0

Configuration #4

    CPE23 From Up To
  Oracle Goldengate Stream Analytics prior 19.1.0.0.1 version cpe:2.3:a:oracle:goldengate_stream_analytics < 19.1.0.0.1
  Oracle Siebel Core - Server Framework 21.5 and prior versions cpe:2.3:a:oracle:siebel_core_-_server_framework <= 21.5
  Oracle Timesten In-memory Database prior 18.1.3.1.0 version cpe:2.3:a:oracle:timesten_in-memory_database < 18.1.3.1.0

Configuration #5

AND
    CPE23 From Up To
OR  
  Netapp Hci Bootstrap Os cpe:2.3:o:netapp:hci_bootstrap_os:-
OR  
  Running on/with
  Netapp Hci Compute Node cpe:2.3:h:netapp:hci_compute_node:-

Configuration #6

    CPE23 From Up To
  Netapp Element Software cpe:2.3:a:netapp:element_software:-