Candidate: CVE-2019-0201
PublicDate: 2019-05-23 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201
 https://issues.apache.org/jira/browse/ZOOKEEPER-1392
Description:
 An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to
 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when
 retrieves the ACLs of the requested node and returns all information
 contained in the ACL Id field as plaintext string.
 DigestAuthenticationProvider overloads the Id field with the hash value
 that is used for user authentication. As a consequence, if Digest
 Authentication is in use, the unsalted hash value will be disclosed by
 getACL() request for unauthenticated or unprivileged users.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929283
 https://issues.apache.org/jira/browse/ZOOKEEPER-1392
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_zookeeper:
 upstream: https://gitbox.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=5ff19e3672987bdde2843a3f031e2bf0010e35f1
upstream_zookeeper: released (3.4.9-3+deb9u2)
precise/esm_zookeeper: DNE
trusty_zookeeper: ignored (out of standard support)
trusty/esm_zookeeper: needed
xenial_zookeeper: ignored (end of standard support, was needed)
bionic_zookeeper: needed
cosmic_zookeeper: ignored (reached end-of-life)
disco_zookeeper: ignored (reached end-of-life)
eoan_zookeeper: ignored (reached end-of-life)
focal_zookeeper: not-affected (3.4.13-3)
groovy_zookeeper: not-affected (3.4.13-3)
hirsute_zookeeper: not-affected (3.4.13-3)
impish_zookeeper: not-affected (3.4.13-3)
jammy_zookeeper: not-affected (3.4.13-3)
devel_zookeeper: not-affected (3.4.13-3)