CVE-2020-17533
Apache Accumulo Improper Handling of Insufficient Permissions
In short
Apache Accumulo fails to properly verify user permissions before allowing certain admin operations like flushing tables or shutting down the system. An authenticated user without proper permissions can bypass security checks and perform these sensitive actions anyway.
Technical detail
The application does not validate return values from 'canFlush' and 'canPerformSystemActions' security functions before executing privileged operations. An authenticated attacker can exploit this improper error handling (CWE-252) to perform unauthorized administrative actions including table flushing, system shutdown, and configuration modification.
Summary generated and translated by AI from the official description.
Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the 'canFlush' and 'canPerformSystemActions' security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide Accumulo configuration properties.
Affected products
Apache Software Foundation · Apache AccumuloWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://lists.apache.org/thread.html/rf8c1a787b6951d3dacb9ec58f0bf1633790c91f54ff10c6f8ff9d8ed%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/rf8c1a787b6951d3dacb9ec58f0bf1633790c91f54ff10c6f8ff9d8ed%40%3Cuser.accumulo.apache.org%3Ehttp://www.openwall.com/lists/oss-security/2020/12/29/1