CVE-2019-20933 - OpenCVE

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Influxdata	Influxdb

Configuration 1 [-]

cpe:2.3:a:influxdata:influxdb:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

No data.

References

Link	Providers
https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0
https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6
https://github.com/influxdata/influxdb/issues/12927
https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html
https://nvd.nist.gov/vuln/detail/CVE-2019-20933
https://www.cve.org/CVERecord?id=CVE-2019-20933
https://www.debian.org/security/2021/dsa-4823

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-11-19T01:50:50

Updated: 2024-08-05T03:00:18.714Z

Reserved: 2020-11-19T00:00:00

Link: CVE-2019-20933

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-19T02:15:11.913

Modified: 2022-10-19T14:52:11.963

Link: CVE-2019-20933

Redhat

Severity : Important

Publid Date: 2019-03-27T00:00:00Z

Links: CVE-2019-20933 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-02T15:07:39", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/influxdata/influxdb/issues/12927"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0"}, {"name": "[debian-lts-announce] 20201220 [SECURITY] [DLA 2501-1] influxdb security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html"}, {"name": "DSA-4823", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4823"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-20933", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/influxdata/influxdb/issues/12927", "refsource": "MISC", "url": "https://github.com/influxdata/influxdb/issues/12927"}, {"name": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6", "refsource": "MISC", "url": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6"}, {"name": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0", "refsource": "MISC", "url": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0"}, {"name": "[debian-lts-announce] 20201220 [SECURITY] [DLA 2501-1] influxdb security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html"}, {"name": "DSA-4823", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4823"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:00:18.714Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/influxdata/influxdb/issues/12927"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0"}, {"name": "[debian-lts-announce] 20201220 [SECURITY] [DLA 2501-1] influxdb security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html"}, {"name": "DSA-4823", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4823"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-20933", "datePublished": "2020-11-19T01:50:50", "dateReserved": "2020-11-19T00:00:00", "dateUpdated": "2024-08-05T03:00:18.714Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:influxdata:influxdb:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D5A0C08-23B3-4D32-9ECD-EDC9A5B73B17", "versionEndExcluding": "1.7.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret)."}, {"lang": "es", "value": "InfluxDB versiones anteriores a 1.7.6, presenta una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en la funci\u00f3n de autenticaci\u00f3n en el archivo services/httpd/handler.go porque un token JWT puede tener un SharedSecret vac\u00edo (tambi\u00e9n se conoce como secreto compartido)"}], "id": "CVE-2019-20933", "lastModified": "2022-10-19T14:52:11.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-19T02:15:11.913", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/influxdata/influxdb/issues/12927"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4823"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "influxdb: authentication bypass because a JWT token may have an empty SharedSecret", "id": "1900078", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1900078"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-20->CWE-287", "details": ["InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).", "An authentication bypass vulnerability was found in InfluxDB. By default, when using JWT authentication, InfluxDB does not generate a signing secret or state in the documentation that a JWT secret must be generated. If InfluxDB is left in the default state, this flaw allows an attacker to generate their own JWT token and log into the InfluxDBinstance, potentially escalating privileges and gaining access to sensitive information."], "mitigation": {"lang": "en:us", "value": "For versions before 1.7.6, as per the documentation updated by influxdb, ensure that a default shared-secret has be defined when enabling JWT authentication:\nhttps://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#1-add-a-shared-secret-in-your-influxdb-configuration-file \nVersions including the fix will return an error if the secret is left empty."}, "name": "CVE-2019-20933", "package_state": [{"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "jaeger-rhel8-operator", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "influxdb", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "camel-influxdb", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "camel-quarkus-influxdb-deployment", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "camel-quarkus-influxdb-integration-test", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "influxdb-java", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "influxdb-java", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "camel-influxdb", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "camel-influxdb-starter", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "influxdb-java", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2019-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-20933\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-20933\nhttps://github.com/influxdata/influxdb/issues/12927"], "threat_severity": "Important", "upstream_fix": "influxdb 1.7.6"}