Lucene search

K
redhatcveRedhat.comRH:CVE-2019-20933
HistoryNov 20, 2020 - 6:22 p.m.

CVE-2019-20933

2020-11-2018:22:58
redhat.com
access.redhat.com
10

EPSS

0.042

Percentile

92.3%

An authentication bypass vulnerability was found in InfluxDB. By default, when using JWT authentication, InfluxDB does not generate a signing secret or state in the documentation that a JWT secret must be generated. If InfluxDB is left in the default state, this flaw allows an attacker to generate their own JWT token and log into the InfluxDBinstance, potentially escalating privileges and gaining access to sensitive information.

Mitigation

For versions before 1.7.6, as per the documentation updated by influxdb, ensure that a default shared-secret has be defined when enabling JWT authentication:

<https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#1-add-a-shared-secret-in-your-influxdb-configuration-file&gt;

Versions including the fix will return an error if the secret is left empty.