Improper Authentication

Affecting org.apache.phoenix:phoenix-core artifact, versions [,4.8.0-HBase-1.2)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Improper Authentication. The Phoenix driver implementation caches connections it successfully creates and keys it by the ConnectionInfo. The ConnectionInfo doesn't take into consideration the user. This could allow malicious users to access tables to which they may not be authorized.

Remediation

Upgrade org.apache.phoenix:phoenix-core to version 4.8.0-HBase-1.2 or higher.

References

CVSS Score

5.0
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Credit
Prabhjyot Singh
CWE
CWE-287
Snyk ID
SNYK-JAVA-ORGAPACHEPHOENIX-1300043
Disclosed
04 Jun, 2021
Published
04 Jun, 2021