An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache zookeeper 3.5.3 |
||
apache zookeeper 3.5.0 |
||
apache zookeeper |
||
apache zookeeper 3.5.1 |
||
apache zookeeper 3.5.2 |
||
apache zookeeper 3.5.4 |
||
apache drill 1.16.0 |
||
apache activemq 5.15.9 |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |
||
redhat fuse 1.0.0 |
||
oracle goldengate stream analytics |
||
oracle siebel core - server framework |
||
oracle timesten in-memory database |
||
netapp hci_bootstrap_os - |
||
netapp element software - |
How many times do you want to read the CVSS rating 9.8 today?
Oracle has released its final quarterly batch of patches for the year for security flaws in its products. The total this time? 402 fixes, the bulk of which are rated critical in terms of severity. In all, there are 230 CVE-listed bugs fixed across 27 Oracle products, according to Tenable, which noted Big Red's record is still July 2020 with more than 440 patches. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already rele...