CVE-2019-20933

Aliases:GHSA-2rmp-fw5r-j5qvGO-2022-0780

Advisory lineage Upstream: 0 Downstream: 7

Downstream

DEBIAN-CVE-2019-20933 DLA-2501-1 DSA-4823-1 SUSE-SU-2020:3624-1 SUSE-SU-2020:3897-1 UBUNTU-CVE-2019-20933

Modified

Published: 19 Nov 2020, 01:50

Last modified:05 Aug 2024, 03:00

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (nvd)

EPSS Score

93.75% CRITICAL

94% probability -0.22%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

19 Nov 2020, 01:50

Published

Vulnerability first disclosed

05 Aug 2024, 03:00

Last Modified

Vulnerability information updated

Description

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 93.75%• Percentile: 100%

Techniques & Countermeasures

CWE-287•Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Systems

debian•debian_linux
9.0 | 10.0
github.com/influxdata•influxdb
< 1.7.6
influxdata•influxdb
< 1.7.6