Lucene search

GitHub Advisory DatabaseGHSA-GRC3-8Q8M-4J7C

HistoryFeb 09, 2022 - 10:37 p.m.

Improper privilege handling in Apache Accumulo

2022-02-0922:37:59

CWE-252

CWE-280

CWE-732

GitHub Advisory Database

github.com

apache accumulo

privilege handling

security vulnerability

policy enforcement

administrative operations

authentication

insufficient permissions

flushing

shutdown

configuration properties

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

47.4%

JSON

Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the ‘canFlush’ and ‘canPerformSystemActions’ security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide Accumulo configuration properties.

Affected configurations

Vulners

Node

org.apache.accumuloaccumulo-masterMatch2.0.0

org.apache.accumuloaccumulo-masterRange1.5.0–1.10.1

VendorProductVersionCPE
org.apache.accumuloaccumulo-master2.0.0cpe:2.3:a:org.apache.accumulo:accumulo-master:2.0.0:*:*:*:*:*:*:*
org.apache.accumuloaccumulo-master*cpe:2.3:a:org.apache.accumulo:accumulo-master:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.accumulo	accumulo-master	2.0.0	cpe:2.3:a:org.apache.accumulo:accumulo-master:2.0.0:::::::*
org.apache.accumulo	accumulo-master	*	cpe:2.3:a:org.apache.accumulo:accumulo-master::::::::

References

www.openwall.com/lists/oss-security/2020/12/29/1

github.com/advisories/GHSA-grc3-8q8m-4j7c

github.com/apache/accumulo/commit/56142a89952533fef922fa86739a879c073e7c2a

github.com/apache/accumulo/commit/877ad502f6857e48342664e4b0ce83db74e4cda4

lists.apache.org/thread.html/rf8c1a787b6951d3dacb9ec58f0bf1633790c91f54ff10c6f8ff9d8ed%40%3Cannounce.apache.org%3E

lists.apache.org/thread.html/rf8c1a787b6951d3dacb9ec58f0bf1633790c91f54ff10c6f8ff9d8ed%40%3Cuser.accumulo.apache.org%3E

lists.apache.org/thread.html/rf8c1a787b6951d3dacb9ec58f0bf1633790c91f54ff10c6f8ff9d8ed@%3Cannounce.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2020-17533

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

47.4%

JSON

Related for GHSA-GRC3-8Q8M-4J7C