CVE-2019-0201 — MEDIUM (5.9)

Q: How severe is CVE-2019-0201?

CVE-2019-0201 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-0201?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Activemq, Apache Drill, Apache Zookeeper, Debian Debian Linux, Redhat Fuse.

Vulnerability Description

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Activemq	5.15.9
Apache	Drill	1.16.0
Apache	Zookeeper	>= 1.0.0, <= 3.4.13
Debian	Debian Linux	8.0
Redhat	Fuse	1.0.0
Oracle	Goldengate Stream Analytics	< 19.1.0.0.1
Oracle	Siebel Core - Server Framework	<= 21.5
Oracle	Timesten In-Memory Database	< 18.1.3.1.0
Netapp	Hci Bootstrap Os	-
Netapp	Hci Compute Node	-
Netapp	Element Software	-

Related Weaknesses (CWE)

CWE-862

References

http://www.securityfocus.com/bid/108427Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:3140Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4352Third Party Advisory
https://issues.apache.org/jira/browse/ZOOKEEPER-1392Issue TrackingPatchVendor Advisory
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e
https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601f
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12e
https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d28
https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e5342
https://lists.debian.org/debian-lts-announce/2019/05/msg00033.htmlMailing ListThird Party Advisory
https://seclists.org/bugtraq/2019/Jun/13Mailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20190619-0001/Third Party Advisory

FAQ

What is CVE-2019-0201?

CVE-2019-0201 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and retur...

How severe is CVE-2019-0201?

CVE-2019-0201 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-0201?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Activemq, Apache Drill, Apache Zookeeper, Debian Debian Linux, Redhat Fuse.