ID CVE-2019-0201
Summary An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:activemq:5.15.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:activemq:5.15.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.4:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.4:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.4:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.4:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.5:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.5:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.5:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.5:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.5:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.5:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.6:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.6:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.6:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.6:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.7:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.7:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.7:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.7:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.8:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.8:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.8:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.8:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.9:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.9:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.9:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.9:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.9:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.9:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.9:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.9:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.10:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.10:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.10:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.10:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.10:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.10:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.11:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.11:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.11:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.11:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.11:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.11:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.12:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.12:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.12:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.12:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.12:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.12:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.13:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.13:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.13:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.13:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.4.13:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.4.13:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.0:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.1:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.1:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.1:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.1:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.1:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.1:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.1:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.1:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.1:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.1:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.1:rc3:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.1:rc3:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.1:rc4:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.1:rc4:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.2:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.2:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.2:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.2:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.2:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.2:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.2:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.2:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.3:-:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.3:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.3:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.3:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.3:rc0:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.3:rc0:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.3:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.3:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:zookeeper:3.5.4:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:zookeeper:3.5.4:beta:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:goldengate_stream_analytics:-:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:goldengate_stream_analytics:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_core_-_server_framework:-:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:siebel_core_-_server_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_core_-_server_framework:19.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:siebel_core_-_server_framework:19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_core_-_server_framework:20.12:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:siebel_core_-_server_framework:20.12:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:timesten_in-memory_database:-:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:timesten_in-memory_database:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:timesten_in-memory_database:11.2.2.8.27:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:timesten_in-memory_database:11.2.2.8.27:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:timesten_in-memory_database:11.2.2.8.49:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:timesten_in-memory_database:11.2.2.8.49:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:timesten_in-memory_database:18.1.2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:timesten_in-memory_database:18.1.2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 19-04-2022 - 15:35)
Impact:
Exploitability:
CWE CWE-862
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2019:3140
  • rhsa
    id RHSA-2019:3892
  • rhsa
    id RHSA-2019:4352
refmap via4
bid 108427
bugtraq 20190612 [SECURITY] [DSA 4461-1] zookeeper security update
confirm
debian DSA-4461
misc
mlist
  • [accumulo-commits] 20190605 [accumulo] branch 2.0 updated: Update ZooKeeper (CVE-2019-0201)
  • [activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar
  • [bookkeeper-issues] 20190531 [GitHub] [bookkeeper] eolivelli opened a new issue #2106: Update ZookKeeper dependency to 3.5.5
  • [debian-lts-announce] 20190524 [SECURITY] [DLA 1801-1] zookeeper security update
  • [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
  • [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
  • [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
Last major update 19-04-2022 - 15:35
Published 23-05-2019 - 14:29
Last modified 19-04-2022 - 15:35
Back to Top