ID CVE-2019-0212
Summary In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:hbase:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.0:alpha2:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.0:alpha3:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:hbase:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:hbase:2.1.3:*:*:*:*:*:*:*
CVSS
Base: 6.0 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:S/C:P/I:P/A:P
refmap via4
bid 107624
confirm https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E
mlist
  • [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
  • [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
  • [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
  • [oss-security] 20190327 [CVE-2019-0212] Apache HBase REST Server incorrect user authorization
Last major update 24-08-2020 - 17:37
Published 28-03-2019 - 22:29
Last modified 24-08-2020 - 17:37
Back to Top