{"api_version":"1","generated_at":"2026-04-25T08:47:27+00:00","cve":"CVE-2019-0212","urls":{"html":"https://cve.report/CVE-2019-0212","api":"https://cve.report/api/cve/CVE-2019-0212.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-0212","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-0212"},"summary":{"title":"CVE-2019-0212","description":"In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2019-03-28 22:29:00","updated_at":"2023-11-07 03:01:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/107624","name":"107624","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache HBase CVE-2019-0212 Authorization Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E","name":"[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E","name":"[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2019/03/27/3","name":"[oss-security] 20190327 [CVE-2019-0212] Apache HBase REST Server incorrect user authorization","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - [CVE-2019-0212] Apache HBase REST Server incorrect user authorization","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E","name":"https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E","refsource":"CONFIRM","tags":["Mailing List","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E","name":"https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E","name":"[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E","name":"[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-0212","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-0212","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"212","vulnerable":"1","versionEndIncluding":"2.0.4","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"hbase","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"212","vulnerable":"1","versionEndIncluding":"2.1.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"hbase","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-0212","qid":"983780","title":"Java (maven) Security Update for org.apache.hbase:hbase (GHSA-535v-4x9q-446c)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-0212","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache","product":{"product_data":[{"product_name":"Apache HBase","version":{"version_data":[{"version_value":"Apache HBase 2.0.0-2.0.4"},{"version_value":"2.1.0-2.1.3"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Missing Authorization"}]}]},"references":{"reference_data":[{"refsource":"MLIST","name":"[oss-security] 20190327 [CVE-2019-0212] Apache HBase REST Server incorrect user authorization","url":"http://www.openwall.com/lists/oss-security/2019/03/27/3"},{"refsource":"CONFIRM","name":"https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E","url":"https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E"},{"refsource":"BID","name":"107624","url":"http://www.securityfocus.com/bid/107624"},{"refsource":"MLIST","name":"[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities","url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"},{"refsource":"MLIST","name":"[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"}]},"description":{"description_data":[{"lang":"eng","value":"In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server."}]}},"nvd":{"publishedDate":"2019-03-28 22:29:00","lastModifiedDate":"2023-11-07 03:01:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6},"severity":"MEDIUM","exploitabilityScore":6.8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:hbase:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndIncluding":"2.0.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:hbase:*:*:*:*:*:*:*:*","versionStartIncluding":"2.1.0","versionEndIncluding":"2.1.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"212","Ordinal":"136332","Title":"CVE-2019-0212","CVE":"CVE-2019-0212","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"212","Ordinal":"1","NoteData":"In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"212","Ordinal":"2","NoteData":"2019-03-28","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"212","Ordinal":"3","NoteData":"2019-10-21","Type":"Other","Title":"Modified"}]}}}