CVE-2018-8025 - OpenCVE

CVE-2018-8025 describes an issue in Apache HBase that affects the optional "Thrift 1" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Hbase

Configuration 1 [-]

OR	cpe:2.3:a:apache:hbase::::::::
	cpe:2.3:a:apache:hbase:0.92.0:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/104554	Third Party Advisory VDB Entry
https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96%40%3Cdev.hbase.apache.org%3E

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2018-06-22T00:00:00

Updated: 2018-06-28T09:57:01

Reserved: 2018-03-09T00:00:00

Link: CVE-2018-8025

JSON object: View

NVD Information

Status : Modified

Published: 2018-06-27T15:29:00.217

Modified: 2023-11-07T03:01:21.890

Link: CVE-2018-8025

JSON object: View

Redhat Information

No data.

CWE

CWE-362

{"containers": {"cna": {"affected": [{"product": "Apache HBase", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Tomcat 1.x and 2.x, excluding 1.0.0"}]}], "datePublic": "2018-06-22T00:00:00", "descriptions": [{"lang": "en", "value": "CVE-2018-8025 describes an issue in Apache HBase that affects the optional \"Thrift 1\" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1."}], "problemTypes": [{"descriptions": [{"description": "User Authentication", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-06-28T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "104554", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104554"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96%40%3Cdev.hbase.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-06-22T00:00:00", "ID": "CVE-2018-8025", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache HBase", "version": {"version_data": [{"version_value": "Apache Tomcat 1.x and 2.x, excluding 1.0.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CVE-2018-8025 describes an issue in Apache HBase that affects the optional \"Thrift 1\" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "User Authentication"}]}]}, "references": {"reference_data": [{"name": "104554", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104554"}, {"name": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96@%3Cdev.hbase.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96@%3Cdev.hbase.apache.org%3E"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-8025", "datePublished": "2018-06-22T00:00:00", "dateReserved": "2018-03-09T00:00:00", "dateUpdated": "2018-06-28T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:hbase:*:*:*:*:*:*:*:*", "matchCriteriaId": "43560EDF-E0C0-4325-8A0E-610C810CDCB6", "versionEndIncluding": "2.0.0", "versionStartExcluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hbase:0.92.0:*:*:*:*:*:*:*", "matchCriteriaId": "804A0AA5-7AA1-4358-BA71-49334BFEEE77", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CVE-2018-8025 describes an issue in Apache HBase that affects the optional \"Thrift 1\" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1."}, {"lang": "es", "value": "CVE-2018-8025 describe un problema en Apache HBase que afecta al servidor opcional de la API \"Thrift 1\" cuando se ejecuta por HTTP. Hay una condici\u00f3n de carrera que puede conducir a que se aplican sesiones autenticadas incorrectamente a los usuarios, por ejemplo, un usuario autenticado se considerar\u00eda un usuario diferente o un usuario no autenticado se tratar\u00eda como usuario autenticado. https://issues.apache.org/jira/browse/HBASE-20664 implementa una soluci\u00f3n para este problema. Se ha solucionado en las versiones: 1.2.6.1, 1.3.2.1, 1.4.5 y 2.0.1."}], "id": "CVE-2018-8025", "lastModified": "2023-11-07T03:01:21.890", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-27T15:29:00.217", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104554"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/a919e38f587c714c386a01d40fc8f45bd4219a65aaf2dc0bb4eccc96%40%3Cdev.hbase.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}