QwikSec

Security Database

CVE

CWE

Training

CVE-2019-0201

Published: May 23, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Vendor	Product	Versions
Apache Software Foundation	Apache ZooKeeper	affected `1.0.0 to 3.4.13` affected `3.5.0-alpha to 3.5.4-beta`

References

vdb-entry

x_refsource_BID

[debian-lts-announce] 20190524 [SECURITY] [DLA 1801-1] zookeeper security update

mailing-list

x_refsource_MLIST

[bookkeeper-issues] 20190531 [GitHub] [bookkeeper] eolivelli opened a new issue #2106: Update ZookKeeper dependency to 3.5.5

mailing-list

x_refsource_MLIST

[accumulo-commits] 20190605 [accumulo] branch 2.0 updated: Update ZooKeeper (CVE-2019-0201)

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_DEBIAN

20190612 [SECURITY] [DSA 4461-1] zookeeper security update

mailing-list

x_refsource_BUGTRAQ

[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_REDHAT

[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities

mailing-list

x_refsource_MLIST

[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

mailing-list

x_refsource_MLIST

[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

https://www.oracle.com/security-alerts/cpujul2020.html

x_refsource_MISC

https://issues.apache.org/jira/browse/ZOOKEEPER-1392

x_refsource_MISC

https://zookeeper.apache.org/security.html#CVE-2019-0201

x_refsource_CONFIRM

https://security.netapp.com/advisory/ntap-20190619-0001/

x_refsource_CONFIRM

https://www.oracle.com/security-alerts/cpuoct2020.html

x_refsource_MISC

https://www.oracle.com//security-alerts/cpujul2021.html

x_refsource_MISC

[hadoop-common-issues] 20210816 [GitHub] [hadoop] iwasakims opened a new pull request #3308: HADOOP-17850. Upgrade ZooKeeper to 3.4.14 in branch-3.2.

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.