CVE-2019-0201 (Medium) detected in zookeeper-3.4.10.jar

[mend-bolt-for-github[bot]]

CVE-2019-0201 - Medium Severity Vulnerability

Vulnerable Library - zookeeper-3.4.10.jar

null

Path to dependency file: /interlok-kafka/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.10/8eebdbb7a9df83e02eaa42d0e5da0b57bf2e4da/zookeeper-3.4.10.jar

Dependency Hierarchy: - kafka_2.11-1.1.1.jar (Root Library) - :x: **zookeeper-3.4.10.jar** (Vulnerable Library)

Found in HEAD commit: e191b5edc0a74340de2c0ef0a1a62ab75d018662

Vulnerability Details

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Publish Date: 2019-05-23

URL: CVE-2019-0201

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://zookeeper.apache.org/security.html

Release Date: 2019-05-23

Fix Resolution: 3.4.14, 3.5.5

---

Step up your Open Source Security Game with WhiteSource here

[quotidian-ennui]

Turning off whitesource; it doesn't give us anything more than snyk.io