InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
References
Link | Resource |
---|---|
https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6 | Patch Third Party Advisory |
https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0 | Patch Third Party Advisory |
https://github.com/influxdata/influxdb/issues/12927 | Issue Tracking Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html | Mailing List Third Party Advisory |
https://www.debian.org/security/2021/dsa-4823 | Third Party Advisory |
Information
Published : 2020-11-18 18:15
Updated : 2022-10-19 07:52
NVD link : CVE-2019-20933
Mitre link : CVE-2019-20933
JSON object : View
CWE
CWE-287
Improper Authentication
Products Affected
debian
- debian_linux
influxdata
- influxdb