CVE-2020-17533 : Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly

Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the 'canFlush' and 'canPerformSystemActions' security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide Accumulo configuration properties.

Published 2020-12-29 12:15:12

Updated 2024-01-31 10:15:08

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2020-17533

Apache » Accumulo
Versions from including (>=) 1.5.0 and up to, including, (<=) 1.10.0
cpe:2.3:a:apache:accumulo:*:*:*:*:*:*:*:*
Matching versions
Apache » Accumulo » Version: 2.0.0
cpe:2.3:a:apache:accumulo:2.0.0:-:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-17533

EPSS FAQ

5.31%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 89 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-17533

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:P	8.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2020-17533

CWE-252 Unchecked Return Value

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Assigned by:
- nvd@nist.gov (Secondary)
- security@apache.org (Primary)
CWE-280 Improper Handling of Insufficient Permissions or Privileges

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

Assigned by: security@apache.org (Secondary)
CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-17533

https://lists.apache.org/thread.html/rf8c1a787b6951d3dacb9ec58f0bf1633790c91f54ff10c6f8ff9d8ed@%3Cannounce.apache.org%3E

[SECURITY] CVE-2020-17533: Apache Accumulo Improper Handling of Insufficient Permissions - Pony Mail
Mailing List;Vendor Advisory
https://lists.apache.org/thread.html/rf8c1a787b6951d3dacb9ec58f0bf1633790c91f54ff10c6f8ff9d8ed%40%3Cannounce.apache.org%3E

[SECURITY] CVE-2020-17533: Apache Accumulo Improper Handling of Insufficient Permissions-Apache Mail Archives
Vendor Advisory
http://www.openwall.com/lists/oss-security/2020/12/29/1

oss-security - CVE-2020-17533: Apache Accumulo Improper Handling of Insufficient Permissions
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rf8c1a787b6951d3dacb9ec58f0bf1633790c91f54ff10c6f8ff9d8ed%40%3Cuser.accumulo.apache.org%3E

[SECURITY] CVE-2020-17533: Apache Accumulo Improper Handling of Insufficient Permissions - Pony Mail
Mailing List

Jump to

Vulnerability Details : CVE-2020-17533

Products affected by CVE-2020-17533

Exploit prediction scoring system (EPSS) score for CVE-2020-17533

CVSS scores for CVE-2020-17533

CWE ids for CVE-2020-17533

References for CVE-2020-17533