Vulnerability Details : CVE-2019-0201
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Exploit prediction scoring system (EPSS) score for CVE-2019-0201
Probability of exploitation activity in the next 30 days: 0.09%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 37 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-0201
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2019-0201
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-0201
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Patch;Third Party Advisory
-
https://zookeeper.apache.org/security.html#CVE-2019-0201
Apache ZooKeeperVendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:3140
RHSA-2019:3140 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html
[SECURITY] [DLA 1801-1] zookeeper security updateMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Patch;Third Party Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E
[GitHub] [bookkeeper] eolivelli opened a new issue #2106: Update ZookKeeper dependency to 3.5.5 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20190619-0001/
CVE-2019-0201 Apache ZooKeeper Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E
[accumulo] branch 2.0 updated: Update ZooKeeper (CVE-2019-0201) - Pony MailMailing List;Patch;Vendor Advisory
-
https://www.debian.org/security/2019/dsa-4461
Debian -- Security Information -- DSA-4461-1 zookeeperThird Party Advisory
-
https://seclists.org/bugtraq/2019/Jun/13
Bugtraq: [SECURITY] [DSA 4461-1] zookeeper security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3892
RHSA-2019:3892 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4352
RHSA-2019:4352 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://issues.apache.org/jira/browse/ZOOKEEPER-1392
[ZOOKEEPER-1392] Should not allow to read ACL when not authorized to read node - ASF JIRAIssue Tracking;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
Mailing List;Vendor Advisory
-
http://www.securityfocus.com/bid/108427
Apache ZooKeeper CVE-2019-0201 Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
Products affected by CVE-2019-0201
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.15.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.3:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.4:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.1:rc0:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.3:-:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.3:rc0:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.0:-:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.1:-:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.2:-:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.2:rc0:*:*:*:*:*:*
- cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:siebel_core_-_server_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*