{"id":"CVE-2019-0201","details":"An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.","aliases":["GHSA-2hw2-62cp-p9p7"],"modified":"2026-04-11T12:09:51.987745Z","published":"2019-05-23T14:29:07.517Z","related":["SUSE-RU-2020:2072-1","SUSE-SU-2020:1066-1","SUSE-SU-2020:1190-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"1.16.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"3.5.0-alpha"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:zookeeper:3.5.0:alpha:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"3.5.1-alpha"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:zookeeper:3.5.1:alpha:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"3.5.2-alpha"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:zookeeper:3.5.2:alpha:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"3.5.3-beta"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:zookeeper:3.5.3:beta:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"3.5.4-beta"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:zookeeper:3.5.4:beta:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"19.1.0.0.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"21.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:siebel_core_-_server_framework:*:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"18.1.3.1.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"1.0.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/108427"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3140"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3892"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4352"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Jun/13"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190619-0001/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4461"},{"type":"ADVISORY","url":"https://zookeeper.apache.org/security.html#CVE-2019-0201"},{"type":"FIX","url":"https://issues.apache.org/jira/browse/ZOOKEEPER-1392"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/activemq","events":[{"introduced":"0"},{"last_affected":"855ba82071e0ce64d9b38cc610edfd38ed332cb3"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"5.15.9"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:activemq:5.15.9:*:*:*:*:*:*:*"}}],"versions":["activemq-5.10.0","activemq-5.11.0","activemq-5.12.0","activemq-5.13.0","activemq-5.14.0","activemq-5.15.0","activemq-5.15.1","activemq-5.15.2","activemq-5.15.3","activemq-5.15.4","activemq-5.15.5","activemq-5.15.6","activemq-5.15.7","activemq-5.15.8","activemq-5.15.9","activemq-5.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-0201.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/apache/zookeeper","events":[{"introduced":"0"},{"last_affected":"2d71af4dbe22557fda74f9a9b4309b15a7487f03"},{"last_affected":"22dd197a0327eef989feaf2109e5e7371624f743"},{"last_affected":"ab2aa27ff452a3c2331761854a9bf5a63e01954c"},{"last_affected":"59adfa23fb6c1b9034283d6fc09cd7a4a8e6e0b1"},{"last_affected":"1ce2f9e1952004fc10924eb13c585c24d6523ba8"},{"last_affected":"0014376a18ba46df973b06e85bcf6694b0fa91d4"},{"last_affected":"d2ff69d0a3100d42b153feda96a66f518c59347e"},{"last_affected":"28b0bd08f5ec95b4743f04963867180377378bd4"},{"last_affected":"75276c6dfc659765ec89dadffbc4b61a18b91a5f"},{"last_affected":"3f572f0a3568ad21d7a1175ecde007b222c74cf4"},{"last_affected":"554ad8c4d79e5077961a964d7bee2b413b9ea0ea"},{"last_affected":"c8a224f4821e5201ba8816731c6b1a28582210f4"},{"last_affected":"8ce24f9e675cbefffb8f21a47e06b42864475a60"}],"database_specific":{"extracted_events":[{"introduced":"1.0.0"},{"last_affected":"3.4.13"},{"introduced":"0"},{"last_affected":"3.5.0-NA"},{"last_affected":"3.5.0-rc0"},{"last_affected":"3.5.1-NA"},{"last_affected":"3.5.1-rc0"},{"last_affected":"3.5.1-rc1"},{"last_affected":"3.5.1-rc2"},{"last_affected":"3.5.1-rc3"},{"last_affected":"3.5.1-rc4"},{"last_affected":"3.5.2-NA"},{"last_affected":"3.5.2-rc0"},{"last_affected":"3.5.2-rc1"},{"last_affected":"3.5.3-NA"},{"last_affected":"3.5.3-rc0"},{"last_affected":"3.5.3-rc1"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.0:-:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.0:rc0:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.1:-:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.1:rc0:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.1:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.1:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.1:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.1:rc4:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.2:-:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.2:rc0:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.2:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.3:-:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.3:rc0:*:*:*:*:*:*","cpe:2.3:a:apache:zookeeper:3.5.3:rc1:*:*:*:*:*:*"]}}],"versions":["release-3.4.10","release-3.4.10-rc0","release-3.4.10-rc1","release-3.4.11","release-3.4.11-rc0","release-3.4.11-rc1","release-3.4.12","release-3.4.12-rc0","release-3.4.12-rc1","release-3.4.13","release-3.4.13-rc0","release-3.4.13-rc1","release-3.5.0","release-3.5.0-rc0","release-3.5.1","release-3.5.1-rc0","release-3.5.1-rc1","release-3.5.1-rc2","release-3.5.1-rc3","release-3.5.1-rc4","release-3.5.2","release-3.5.2-rc0","release-3.5.2-rc1","release-3.5.3","release-3.5.3-rc0","release-3.5.3-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-0201.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}