{ "schema_version": "1.4.0", "id": "GHSA-2rmp-fw5r-j5qv", "modified": "2023-10-02T15:14:38Z", "published": "2021-05-18T18:22:05Z", "aliases": [ "CVE-2019-20933" ], "summary": "Improper Authentication in InfluxDB", "details": "InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in `services/httpd/handler.go` because a JWT token may have an empty SharedSecret (aka shared secret).", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/influxdata/influxdb" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.7.6" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20933" }, { "type": "WEB", "url": "https://github.com/influxdata/influxdb/issues/12927" }, { "type": "WEB", "url": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0" }, { "type": "WEB", "url": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6" }, { "type": "WEB", "url": "https://github.com/ticarpi/jwt_tool/blob/a6ca3e0524a204b5add070bc6874cb4e7e5a9864/jwt_tool.py#L1368" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html" }, { "type": "PACKAGE", "url": "https://pkg.go.dev/github.com/influxdata/influxdb/services/httpd" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4823" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2021-05-12T21:55:56Z", "nvd_published_at": "2020-11-19T02:15:00Z" } }