Your submission was sent successfully! Close

CVE-2019-20933

Published: 19 November 2020

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
influxdb
Launchpad, Ubuntu, Debian
bionic
Released (1.1.1+dfsg1-4+deb9u1ubuntu1)
focal
Released (1.6.4-1+deb10u1build0.20.04.1)
groovy Ignored
(reached end-of-life)
hirsute
Released (1.6.7~rc0-1)
impish
Released (1.6.7~rc0-1)
jammy
Released (1.6.7~rc0-1)
precise Does not exist

trusty Does not exist

upstream
Released (1.7.6)
xenial Ignored
(end of standard support, was needs-triage)