Vulnerability Description
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Influxdata | Influxdb | < 1.7.6 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d98PatchThird Party Advisory
- https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6PatchThird Party Advisory
- https://github.com/influxdata/influxdb/issues/12927Issue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/12/msg00030.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2021/dsa-4823Third Party Advisory
- https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d98PatchThird Party Advisory
- https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6PatchThird Party Advisory
- https://github.com/influxdata/influxdb/issues/12927Issue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/12/msg00030.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2021/dsa-4823Third Party Advisory
FAQ
What is CVE-2019-20933?
CVE-2019-20933 is a vulnerability with a CVSS score of 9.8 (CRITICAL). InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
How severe is CVE-2019-20933?
CVE-2019-20933 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-20933?
Check the references section above for vendor advisories and patch information. Affected products include: Influxdata Influxdb, Debian Debian Linux.