Vulnerability Change Records for CVE-2019-0201

Change History

CVE Modified by Apache Software Foundation 6/12/2019 7:29:00 AM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://www.debian.org/security/2019/dsa-4461 [No Types Assigned]

Initial Analysis 5/24/2019 10:37:27 AM

Action Type Old Value New Value
Added CPE Configuration

								
							
							
						
OR
     *cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:* versions from (including) 1.0.0 up to (including) 3.4.13
     *cpe:2.3:a:apache:zookeeper:3.5.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.0:alpha:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.0:rc0:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.1:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.1:alpha:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.1:rc0:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.1:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.1:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.1:rc3:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.1:rc4:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.2:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.2:alpha:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.2:rc0:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.2:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.3:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.3:beta:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.3:rc0:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.3:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:zookeeper:3.5.4:beta:*:*:*:*:*:*
Added CPE Configuration

								
							
							
						
OR
     *cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Added CVSS V2

								
							
							
						
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Added CVSS V3

								
							
							
						
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Added CWE

								
							
							
						
CWE-275
Changed Reference Type
http://www.securityfocus.com/bid/108427 No Types Assigned
http://www.securityfocus.com/bid/108427 Third Party Advisory, VDB Entry
Changed Reference Type
https://issues.apache.org/jira/browse/ZOOKEEPER-1392 No Types Assigned
https://issues.apache.org/jira/browse/ZOOKEEPER-1392 Issue Tracking, Patch, Vendor Advisory
Changed Reference Type
https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html No Types Assigned
https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html Third Party Advisory
Changed Reference Type
https://zookeeper.apache.org/security.html#CVE-2019-0201 No Types Assigned
https://zookeeper.apache.org/security.html#CVE-2019-0201 Vendor Advisory

CVE Modified by Apache Software Foundation 5/24/2019 6:29:00 AM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html [No Types Assigned]

CVE Modified by Apache Software Foundation 8/20/2019 9:16:16 PM

Action Type Old Value New Value
Changed Description
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Added Reference

								
							
							
						
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E [No Types Assigned]

CVE Modified by Apache Software Foundation 10/20/2020 6:15:27 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://www.oracle.com/security-alerts/cpuoct2020.html [No Types Assigned]

CVE Modified by Apache Software Foundation 6/05/2019 4:29:00 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E [No Types Assigned]

CVE Modified by Apache Software Foundation 2/10/2020 4:48:46 PM

Action Type Old Value New Value
Changed Description
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

CVE Modified by Apache Software Foundation 5/31/2019 5:29:00 AM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E [No Types Assigned]

CVE Modified by Apache Software Foundation 12/19/2019 5:15:12 PM

Action Type Old Value New Value
Changed Description
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Added Reference

								
							
							
						
https://access.redhat.com/errata/RHSA-2019:4352 [No Types Assigned]

CVE Modified by Apache Software Foundation 6/12/2019 1:29:02 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://seclists.org/bugtraq/2019/Jun/13 [No Types Assigned]

CWE Remap 8/24/2020 1:37:01 PM

Action Type Old Value New Value
Changed CWE
CWE-275
CWE-862

CVE Modified by Apache Software Foundation 6/19/2019 6:15:11 AM

Action Type Old Value New Value
Changed Description
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Added Reference

								
							
							
						
https://security.netapp.com/advisory/ntap-20190619-0001/ [No Types Assigned]

CVE Modified by Apache Software Foundation 11/14/2019 7:15:11 PM

Action Type Old Value New Value
Changed Description
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Added Reference

								
							
							
						
https://access.redhat.com/errata/RHSA-2019:3892 [No Types Assigned]
Added Reference

								
							
							
						
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E [No Types Assigned]

CVE Modified by Apache Software Foundation 7/14/2020 11:15:40 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://www.oracle.com/security-alerts/cpujul2020.html [No Types Assigned]

CVE Modified by Apache Software Foundation 10/17/2019 2:15:12 PM

Action Type Old Value New Value
Changed Description
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Added Reference

								
							
							
						
https://access.redhat.com/errata/RHSA-2019:3140 [No Types Assigned]

CVE Modified by Apache Software Foundation 10/17/2019 6:15:14 PM

Action Type Old Value New Value
Changed Description
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Added Reference

								
							
							
						
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E [No Types Assigned]