{"containers": {"cna": {"affected": [{"product": "Apache HBase", "vendor": "Apache", "versions": [{"status": "affected", "version": "Apache HBase 2.0.0-2.0.4"}, {"status": "affected", "version": "2.1.0-2.1.3"}]}], "datePublic": "2019-03-27T00:00:00", "descriptions": [{"lang": "en", "value": "In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server."}], "problemTypes": [{"descriptions": [{"description": "Missing Authorization", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-21T15:06:02", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[oss-security] 20190327 [CVE-2019-0212] Apache HBase REST Server incorrect user authorization", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/03/27/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E"}, {"name": "107624", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/107624"}, {"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"}, {"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-0212", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache HBase", "version": {"version_data": [{"version_value": "Apache HBase 2.0.0-2.0.4"}, {"version_value": "2.1.0-2.1.3"}]}}]}, "vendor_name": "Apache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20190327 [CVE-2019-0212] Apache HBase REST Server incorrect user authorization", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/03/27/3"}, {"name": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E", "refsource": "CONFIRM", "url": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2@%3Cdev.hbase.apache.org%3E"}, {"name": "107624", "refsource": "BID", "url": "http://www.securityfocus.com/bid/107624"}, {"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"}, {"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:44:14.866Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20190327 [CVE-2019-0212] Apache HBase REST Server incorrect user authorization", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/03/27/3"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E"}, {"name": "107624", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/107624"}, {"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"}, {"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-0212", "datePublished": "2019-03-28T21:24:07", "dateReserved": "2018-11-14T00:00:00", "dateUpdated": "2024-08-04T17:44:14.866Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:hbase:*:*:*:*:*:*:*:*", "matchCriteriaId": "1CEF8C79-1D27-4191-8D8C-124862F29A4E", "versionEndIncluding": "2.0.4", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hbase:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3D3D726-7894-4CE4-8894-0D5551910235", "versionEndIncluding": "2.1.3", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server."}, {"lang": "es", "value": "En todas las versiones anteriormente publicadas de Apache HBase 2.x (2.0.0-2.0.4, 2.1.0-2.1.3), se aplicaba una autorizaci\u00f3n de manera incorrecta a los usuarios del servidor REST \"HBase\". Todas las peticiones enviadas al servidor REST \"HBase\" se ejecutaban con los permisos del propio servidor REST y no con los permisos del usuario final. Este fallo solo es relevante cuando HBase est\u00e1 configurado con una autenticaci\u00f3n Kerberos, la autorizaci\u00f3n HBase se encuentra habilitada y el servidor REST est\u00e1 configurado con una autenticaci\u00f3n SPNEGO. Este fallo no va m\u00e1s all\u00e1 del servidor REST \"HBase\"."}], "id": "CVE-2019-0212", "lastModified": "2023-11-07T03:01:50.600", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-28T22:29:00.370", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/03/27/3"}, {"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107624"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/66535e15007cda8f9308eec10e12ffe349e0b8b55e56ec6ee02b71d2%40%3Cdev.hbase.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "hbase: Apache HBase REST Server incorrect user authorization", "id": "1696006", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1696006"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-285", "details": ["In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not extend beyond the HBase REST server."], "name": "CVE-2019-0212", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "camel-hbase", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "camel-hbase", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "camel-hbase", "product_name": "Red Hat JBoss Fuse Service Works 6"}], "public_date": "2019-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-0212\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-0212"], "threat_severity": "Moderate"}