Vulnerabilites related to apache - hbase
cve-2018-8025
Vulnerability from cvelistv5
Published
2018-06-27 15:00
Modified
2024-09-16 16:12
Severity ?
EPSS score ?
Summary
CVE-2018-8025 describes an issue in Apache HBase that affects the optional "Thrift 1" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/104554 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96%40%3Cdev.hbase.apache.org%3E | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache HBase |
Version: Apache Tomcat 1.x and 2.x, excluding 1.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:46:12.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104554",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104554"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96%40%3Cdev.hbase.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HBase",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Tomcat 1.x and 2.x, excluding 1.0.0"
}
]
}
],
"datePublic": "2018-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CVE-2018-8025 describes an issue in Apache HBase that affects the optional \"Thrift 1\" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-28T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "104554",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104554"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96%40%3Cdev.hbase.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-06-22T00:00:00",
"ID": "CVE-2018-8025",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HBase",
"version": {
"version_data": [
{
"version_value": "Apache Tomcat 1.x and 2.x, excluding 1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CVE-2018-8025 describes an issue in Apache HBase that affects the optional \"Thrift 1\" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104554",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104554"
},
{
"name": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96@%3Cdev.hbase.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96@%3Cdev.hbase.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-8025",
"datePublished": "2018-06-27T15:00:00Z",
"dateReserved": "2018-03-09T00:00:00",
"dateUpdated": "2024-09-16T16:12:44.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-0212
Vulnerability from cvelistv5
Published
2019-03-28 21:24
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2019/03/27/3 | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/107624 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache | Apache HBase |
Version: Apache HBase 2.0.0-2.0.4 Version: 2.1.0-2.1.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:14.866Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20190327 [CVE-2019-0212] Apache HBase REST Server incorrect user authorization",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/27/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "107624",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107624"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HBase",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "Apache HBase 2.0.0-2.0.4"
},
{
"status": "affected",
"version": "2.1.0-2.1.3"
}
]
}
],
"datePublic": "2019-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-21T15:06:02",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[oss-security] 20190327 [CVE-2019-0212] Apache HBase REST Server incorrect user authorization",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/27/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "107624",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107624"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-0212",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HBase",
"version": {
"version_data": [
{
"version_value": "Apache HBase 2.0.0-2.0.4"
},
{
"version_value": "2.1.0-2.1.3"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20190327 [CVE-2019-0212] Apache HBase REST Server incorrect user authorization",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/03/27/3"
},
{
"name": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E",
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E"
},
{
"name": "107624",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107624"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0212",
"datePublished": "2019-03-28T21:24:07",
"dateReserved": "2018-11-14T00:00:00",
"dateUpdated": "2024-08-04T17:44:14.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-15544
Vulnerability from cvelistv5
Published
2019-08-26 17:08
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls.
References
| ▼ | URL | Tags |
|---|---|---|
| https://rustsec.org/advisories/RUSTSEC-2019-0003.html | x_refsource_MISC | |
| https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd%40%3Cdev.hbase.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae%40%3Cissues.hbase.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932%40%3Ccommon-issues.hadoop.apache.org%3E | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:49:13.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0003.html"
},
{
"name": "[hbase-issues] 20210828 [jira] [Commented] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210902 [jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932%40%3Ccommon-issues.hadoop.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-02T14:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0003.html"
},
{
"name": "[hbase-issues] 20210828 [jira] [Commented] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210902 [jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932%40%3Ccommon-issues.hadoop.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15544",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://rustsec.org/advisories/RUSTSEC-2019-0003.html",
"refsource": "MISC",
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0003.html"
},
{
"name": "[hbase-issues] 20210828 [jira] [Commented] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd@%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210902 [jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932@%3Ccommon-issues.hadoop.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15544",
"datePublished": "2019-08-26T17:08:30",
"dateReserved": "2019-08-25T00:00:00",
"dateUpdated": "2024-08-05T00:49:13.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-2193
Vulnerability from cvelistv5
Published
2014-05-29 14:00
Modified
2024-08-06 15:27
Severity ?
EPSS score ?
Summary
Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the Kerberos features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html | x_refsource_CONFIRM | |
| http://osvdb.org/96615 | vdb-entry, x_refsource_OSVDB | |
| http://seclists.org/fulldisclosure/2013/Aug/250 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:41.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
},
{
"name": "96615",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/96615"
},
{
"name": "20130823 CVE-2013-2193: Apache HBase Man in the Middle Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2013/Aug/250"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the Kerberos features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-23T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
},
{
"name": "96615",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/96615"
},
{
"name": "20130823 CVE-2013-2193: Apache HBase Man in the Middle Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2013/Aug/250"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2193",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the Kerberos features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html",
"refsource": "CONFIRM",
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
},
{
"name": "96615",
"refsource": "OSVDB",
"url": "http://osvdb.org/96615"
},
{
"name": "20130823 CVE-2013-2193: Apache HBase Man in the Middle Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Aug/250"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2193",
"datePublished": "2014-05-29T14:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:27:41.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-1836
Vulnerability from cvelistv5
Published
2015-12-21 11:00
Modified
2024-08-06 04:54
Severity ?
EPSS score ?
Summary
Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic.
References
| ▼ | URL | Tags |
|---|---|---|
| http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg%40mail.gmail.com%3E | mailing-list, x_refsource_MLIST | |
| http://www-01.ibm.com/support/docview.wss?uid=swg21969546 | x_refsource_CONFIRM | |
| https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1034365 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:54:16.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[www-announce] 20150525 CVE-2015-1836: Apache HBase remote denial of service, information integrity, and information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
},
{
"name": "1034365",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034365"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-23T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[www-announce] 20150525 CVE-2015-1836: Apache HBase remote denial of service, information integrity, and information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
},
{
"name": "1034365",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034365"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1836",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[www-announce] 20150525 CVE-2015-1836: Apache HBase remote denial of service, information integrity, and information disclosure vulnerability",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg@mail.gmail.com%3E"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546",
"refsource": "CONFIRM",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546"
},
{
"name": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html",
"refsource": "CONFIRM",
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
},
{
"name": "1034365",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034365"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1836",
"datePublished": "2015-12-21T11:00:00",
"dateReserved": "2015-02-17T00:00:00",
"dateUpdated": "2024-08-06T04:54:16.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2014-05-29 14:19
Modified
2024-11-21 01:51
Severity ?
Summary
Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the Kerberos features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via unspecified vectors.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:hbase:0.92.0:*:*:*:*:*:*:*",
"matchCriteriaId": "804A0AA5-7AA1-4358-BA71-49334BFEEE77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.92.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B929D829-96F5-4113-B24B-DB5ED62E4067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.92.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F3A6634B-5961-4742-B488-22F6E412E96A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6F59962D-DE11-4015-9066-24F3C7518CD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.1:*:*:*:*:*:*:*",
"matchCriteriaId": "45CA893D-DA31-4807-9217-9CFB360B5880",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.2:*:*:*:*:*:*:*",
"matchCriteriaId": "29AA8948-FA22-4F0F-A474-859C3ED2F1E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6F2C9CDC-ACB3-4819-BC75-EDAC0B2EE806",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A5826774-F65D-4A7D-A4B1-A51FE04C0CB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.5:*:*:*:*:*:*:*",
"matchCriteriaId": "062C34FE-DB16-49EE-8869-128C8E11FEDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F4C97D9B-D6F0-4F20-847F-77F9493E70A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0777B099-7380-4060-A62C-DF1EF5FCD191",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.7:*:*:*:*:*:*:*",
"matchCriteriaId": "A82B7232-92C7-4D8C-B0D8-2DEC73AA1CD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.94.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5E33C81F-8F8D-4259-BF03-0B631F70FE96",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the Kerberos features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via unspecified vectors."
},
{
"lang": "es",
"value": "Apache HBase 0.92.x anterior a 0.92.3 y 0.94.x anterior a 0.94.9, cuando las funcionalidades Kerberos est\u00e1n habilitadas, permite a atacantes man-in-the-middle deshabilitar autenticaci\u00f3n bidireccional y obtener informaci\u00f3n sensible a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2013-2193",
"lastModified": "2024-11-21T01:51:13.320",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.2,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-05-29T14:19:06.927",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/96615"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2013/Aug/250"
},
{
"source": "secalert@redhat.com",
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/96615"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2013/Aug/250"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-27 15:29
Modified
2024-11-21 04:13
Severity ?
Summary
CVE-2018-8025 describes an issue in Apache HBase that affects the optional "Thrift 1" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:hbase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43560EDF-E0C0-4325-8A0E-610C810CDCB6",
"versionEndIncluding": "2.0.0",
"versionStartExcluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.92.0:*:*:*:*:*:*:*",
"matchCriteriaId": "804A0AA5-7AA1-4358-BA71-49334BFEEE77",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CVE-2018-8025 describes an issue in Apache HBase that affects the optional \"Thrift 1\" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1."
},
{
"lang": "es",
"value": "CVE-2018-8025 describe un problema en Apache HBase que afecta al servidor opcional de la API \"Thrift 1\" cuando se ejecuta por HTTP. Hay una condici\u00f3n de carrera que puede conducir a que se aplican sesiones autenticadas incorrectamente a los usuarios, por ejemplo, un usuario autenticado se considerar\u00eda un usuario diferente o un usuario no autenticado se tratar\u00eda como usuario autenticado. https://issues.apache.org/jira/browse/HBASE-20664 implementa una soluci\u00f3n para este problema. Se ha solucionado en las versiones: 1.2.6.1, 1.3.2.1, 1.4.5 y 2.0.1."
}
],
"id": "CVE-2018-8025",
"lastModified": "2024-11-21T04:13:07.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-27T15:29:00.217",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104554"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96%40%3Cdev.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104554"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96%40%3Cdev.hbase.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-28 22:29
Modified
2024-11-21 04:16
Severity ?
Summary
In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:hbase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1CEF8C79-1D27-4191-8D8C-124862F29A4E",
"versionEndIncluding": "2.0.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3D3D726-7894-4CE4-8894-0D5551910235",
"versionEndIncluding": "2.1.3",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server."
},
{
"lang": "es",
"value": "En todas las versiones anteriormente publicadas de Apache HBase 2.x (2.0.0-2.0.4, 2.1.0-2.1.3), se aplicaba una autorizaci\u00f3n de manera incorrecta a los usuarios del servidor REST \"HBase\". Todas las peticiones enviadas al servidor REST \"HBase\" se ejecutaban con los permisos del propio servidor REST y no con los permisos del usuario final. Este fallo solo es relevante cuando HBase est\u00e1 configurado con una autenticaci\u00f3n Kerberos, la autorizaci\u00f3n HBase se encuentra habilitada y el servidor REST est\u00e1 configurado con una autenticaci\u00f3n SPNEGO. Este fallo no va m\u00e1s all\u00e1 del servidor REST \"HBase\"."
}
],
"id": "CVE-2019-0212",
"lastModified": "2024-11-21T04:16:29.913",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-28T22:29:00.370",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/27/3"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107624"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/27/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-12-21 11:59
Modified
2024-11-21 02:26
Severity ?
Summary
Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ibm | infosphere_biginsights | 3.0.0.0 | |
| ibm | infosphere_biginsights | 3.0.0.1 | |
| ibm | infosphere_biginsights | 3.0.0.2 | |
| apache | hbase | 0.98.0 | |
| apache | hbase | 0.98.1 | |
| apache | hbase | 0.98.2 | |
| apache | hbase | 0.98.3 | |
| apache | hbase | 0.98.4 | |
| apache | hbase | 0.98.5 | |
| apache | hbase | 0.98.6 | |
| apache | hbase | 0.98.6.1 | |
| apache | hbase | 0.98.7 | |
| apache | hbase | 0.98.8 | |
| apache | hbase | 0.98.9 | |
| apache | hbase | 0.98.10 | |
| apache | hbase | 0.98.10.1 | |
| apache | hbase | 0.98.11 | |
| apache | hbase | 0.98.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:infosphere_biginsights:3.0.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "31342AF9-D73E-4B72-A98D-00E33A7088C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:infosphere_biginsights:3.0.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6771B5C2-7291-4A8F-A558-679768838EAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:infosphere_biginsights:3.0.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1875306C-CF9A-423D-9786-B880A5EAD2DB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A66CE40-F991-48AE-A534-FEF5E3A98260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CF81904A-1E88-40FB-831F-B3A7E0474137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07CFB1BA-EFBF-47A4-8F58-EEFBCF3ECD74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BB3B53E7-B20C-4829-852E-E8278102440A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.4:*:*:*:*:*:*:*",
"matchCriteriaId": "73948924-09F9-4319-BEA4-2428551656A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.5:*:*:*:*:*:*:*",
"matchCriteriaId": "5BF5EA17-4864-46F7-AF70-173EE11F6F06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3D7E96A3-E436-42CA-9DB2-B4F2AAD73E0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7AD63CF2-5603-4F39-BD01-8590935D2417",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.7:*:*:*:*:*:*:*",
"matchCriteriaId": "9D0443EB-35D3-43FC-9DC8-20270946E7E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.8:*:*:*:*:*:*:*",
"matchCriteriaId": "95094683-D1BB-4736-AA82-6D51ABFE1193",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.9:*:*:*:*:*:*:*",
"matchCriteriaId": "752C9A6F-59D2-43BA-802C-0B7AC7A2B60D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.10:*:*:*:*:*:*:*",
"matchCriteriaId": "376B0B86-D24C-43CC-81FF-4FA1E6FC37DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ADCAAC52-62D1-4AAC-B017-B2B305FE556A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.11:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F3617F-4003-4822-B8B4-9610CAD57F03",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:hbase:0.98.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA60F7E-7EF8-4440-A0CA-B681AF5D44A0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic."
},
{
"lang": "es",
"value": "Apache HBase 0.98 en versiones anteriores a 0.98.12.1, 1.0 en versiones anteriores a 1.0.1.1 y 1.1 en versiones anteriores a 1.1.0.1, como se utiliza en IBM InfoSphere BigInsights 3.0, 3.0.0.1 y 3.0.0.2 y en otros productos, utiliza de forma incorrecta ACLs para el estado de coordinaci\u00f3n de ZooKeeper, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio (interrupci\u00f3n del demonio), obtener informaci\u00f3n sensible o modificar datos a trav\u00e9s de tr\u00e1fico de cliente no especificado."
}
],
"id": "CVE-2015-1836",
"lastModified": "2024-11-21T02:26:14.560",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2015-12-21T11:59:01.140",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg%40mail.gmail.com%3E"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1034365"
},
{
"source": "secalert@redhat.com",
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCA+RK=_CFiTfQ2d0V+kuJx_y5izmYccaKjXaJ3V72KK7tbOhbkg%40mail.gmail.com%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21969546"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-26 18:15
Modified
2024-11-21 04:28
Severity ?
Summary
An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rust-protobuf_project | rust-protobuf | * | |
| rust-protobuf_project | rust-protobuf | * | |
| apache | hbase | 2.2.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rust-protobuf_project:rust-protobuf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44521A90-2AC4-40BD-AECC-722066B664DA",
"versionEndExcluding": "1.7.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rust-protobuf_project:rust-protobuf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "461C0614-9C0D-4D91-A754-78A555BD0D17",
"versionEndExcluding": "2.6.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:hbase:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "01CD9BDC-9AE1-4F63-AEA4-9955FF93F1EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en el paquete protobuf antes de 2.6.0 para Rust. Los atacantes pueden agotar toda la memoria a trav\u00e9s de llamadas Vec :: reserve."
}
],
"id": "CVE-2019-15544",
"lastModified": "2024-11-21T04:28:58.697",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-26T18:15:12.593",
"references": [
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd%40%3Cdev.hbase.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd%40%3Cdev.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae%40%3Cissues.hbase.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0003.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}