CVE-2019-20933 Scanner
Detects 'Authentication Bypass' vulnerability in InfluxDB affects v. before 1.7.6.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 sec
Scan only one
Url
Toolbox
-
InfluxDB is a popular open-source time-series database used to store, index and query large amounts of time-stamped data. It is commonly used for monitoring, analytics, and other time-sensitive and data-driven applications. The platform is widely embraced by developers, data scientists, and other professionals who require real-time insights and fast data retrieval. InfluxDB has gained a lot of attention in recent years owing to its high performance, horizontal scalability, and flexible data model.
CVE-2019-20933 is a critical security vulnerability discovered in InfluxDB before 1.7.6. The issue arises due to an authentication bypass vulnerability found in the authenticate function in services/httpd/handler.go. It is believed that a JSON Web Token may have an empty SharedSecret, also known as a shared secret, which can lead to a serious vulnerability in the system's security. This vulnerability can offer remote attackers the ability to bypass user authentication for ingress traffic to the API or dashboard endpoints.
When exploited, this vulnerability can significantly impact security, potentially causing unauthorized access, data tampering, data exfiltration, denial of service, and other harmful attacks. The exploitation of this vulnerability may result in unauthorized access to sensitive data or system resources, leading to damage to reputation, legal consequences, financial loss, and other serious outcomes.
Thanks to the SecurityForEveryone.com platform, individuals can easily and quickly learn about the vulnerabilities in their digital assets without the need to be a security expert. With its advanced features, security professionals can gain insight into the security profile of their digital assets and take appropriate action to protect against vulnerabilities like CVE-2019-20933. So, take advantage of the advanced features of SecurityForEveryone.com platform to ensure your digital asset security.
REFERENCES
- https://github.com/influxdata/influxdb/issues/12927
- https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6
- https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0
- lists.debian.org: [debian-lts-announce] 20201220 [SECURITY] [DLA 2501-1] influxdb security update
- debian.org: DSA-4823
control security posture