An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
References
Link Providers
http://www.securityfocus.com/bid/108427 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3140 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3892 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4352 cve-icon cve-icon
https://issues.apache.org/jira/browse/ZOOKEEPER-1392 cve-icon cve-icon
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-0201 cve-icon
https://seclists.org/bugtraq/2019/Jun/13 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190619-0001/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-0201 cve-icon
https://www.debian.org/security/2019/dsa-4461 cve-icon cve-icon
https://www.oracle.com//security-alerts/cpujul2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2020.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://zookeeper.apache.org/security.html#CVE-2019-0201 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2019-05-23T13:42:47

Updated: 2024-08-04T17:44:14.871Z

Reserved: 2018-11-14T00:00:00

Link: CVE-2019-0201

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-05-23T14:29:07.517

Modified: 2024-11-21T04:16:28.487

Link: CVE-2019-0201

cve-icon Redhat

Severity : Important

Publid Date: 2019-05-20T00:00:00Z

Links: CVE-2019-0201 - Bugzilla