CVE-2019-0201

Summary

CVE	CVE-2019-0201
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-05-23 14:29:00 UTC
Updated	2023-11-07 03:01:00 UTC
Description	An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Risk And Classification

Problem Types: CWE-862

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Activemq	5.15.9	All	All	All
Application	Apache	Drill	1.16.0	All	All	All
Application	Apache	Zookeeper	3.5.0	-	All	All
Application	Apache	Zookeeper	3.5.0	alpha	All	All
Application	Apache	Zookeeper	3.5.0	rc0	All	All
Application	Apache	Zookeeper	3.5.1	-	All	All
Application	Apache	Zookeeper	3.5.1	alpha	All	All
Application	Apache	Zookeeper	3.5.1	rc0	All	All
Application	Apache	Zookeeper	3.5.1	rc1	All	All
Application	Apache	Zookeeper	3.5.1	rc2	All	All
Application	Apache	Zookeeper	3.5.1	rc3	All	All
Application	Apache	Zookeeper	3.5.1	rc4	All	All
Application	Apache	Zookeeper	3.5.2	-	All	All
Application	Apache	Zookeeper	3.5.2	alpha	All	All
Application	Apache	Zookeeper	3.5.2	rc0	All	All
Application	Apache	Zookeeper	3.5.2	rc1	All	All
Application	Apache	Zookeeper	3.5.3	-	All	All
Application	Apache	Zookeeper	3.5.3	beta	All	All
Application	Apache	Zookeeper	3.5.3	rc0	All	All
Application	Apache	Zookeeper	3.5.3	rc1	All	All
Application	Apache	Zookeeper	3.5.4	beta	All	All
Application	Apache	Zookeeper	3.5.0	-	All	All
Application	Apache	Zookeeper	3.5.0	alpha	All	All
Application	Apache	Zookeeper	3.5.0	rc0	All	All
Application	Apache	Zookeeper	3.5.1	-	All	All
Application	Apache	Zookeeper	3.5.1	alpha	All	All
Application	Apache	Zookeeper	3.5.1	rc0	All	All
Application	Apache	Zookeeper	3.5.1	rc1	All	All
Application	Apache	Zookeeper	3.5.1	rc2	All	All
Application	Apache	Zookeeper	3.5.1	rc3	All	All
Application	Apache	Zookeeper	3.5.1	rc4	All	All
Application	Apache	Zookeeper	3.5.2	-	All	All
Application	Apache	Zookeeper	3.5.2	alpha	All	All
Application	Apache	Zookeeper	3.5.2	rc0	All	All
Application	Apache	Zookeeper	3.5.2	rc1	All	All
Application	Apache	Zookeeper	3.5.3	-	All	All
Application	Apache	Zookeeper	3.5.3	beta	All	All
Application	Apache	Zookeeper	3.5.3	rc0	All	All
Application	Apache	Zookeeper	3.5.3	rc1	All	All
Application	Apache	Zookeeper	3.5.4	beta	All	All
Application	Apache	Zookeeper	All	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Application	Netapp	Element Software	-	All	All	All
Operating System	Netapp	Hci Bootstrap Os	-	All	All	All
Hardware	Netapp	Hci Compute Node	-	All	All	All
Application	Oracle	Goldengate Stream Analytics	All	All	All	All
Application	Oracle	Siebel Core - Server Framework	All	All	All	All
Application	Oracle	Timesten In-memory Database	All	All	All	All
Application	Redhat	Fuse	1.0.0	All	All	All

References

Reference	Source	Link	Tags
[hadoop-common-issues] 20210816 [GitHub] [hadoop] iwasakims opened a new pull request #3308: HADOOP-17850. Upgrade ZooKeeper to 3.4.14 in branch-3.2.		lists.apache.org
Red Hat Customer Portal	REDHAT	access.redhat.com
Apache ZooKeeper CVE-2019-0201 Information Disclosure Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
Pony Mail!		lists.apache.org
Oracle Critical Patch Update Advisory - July 2020	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Bugtraq: [SECURITY] [DSA 4461-1] zookeeper security update	BUGTRAQ	seclists.org
Red Hat Customer Portal	REDHAT	access.redhat.com
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
Debian -- Security Information -- DSA-4461-1 zookeeper	DEBIAN	www.debian.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
CVE-2019-0201 Apache ZooKeeper Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Pony Mail!		lists.apache.org
Apache ZooKeeper	CONFIRM	zookeeper.apache.org	Vendor Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[ZOOKEEPER-1392] Should not allow to read ACL when not authorized to read node - ASF JIRA	MISC	issues.apache.org	Issue Tracking, Patch, Vendor Advisory
[SECURITY] [DLA 1801-1] zookeeper security update	MLIST	lists.debian.org	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal	REDHAT	access.redhat.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

200055 Ubuntu Security Notification for ZooKeeper Vulnerabilities (USN-6559-1)
981456 Java (maven) Security Update for org.apache.zookeeper:zookeeper (GHSA-2hw2-62cp-p9p7)