CVE-2019-0201

MEDIUM

Apache ZooKeeper 1.0.0-3.4.13 and 3.5.0-alpha-3.5.4-beta - Unauthenticated Information Disclosure via getACL() Command

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-0201. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository appears to be a fork or snapshot of the Apache ZooKeeper project but does not contain any exploit code or technical analysis related to CVE-2019-0201. It includes standard ZooKeeper build scripts, configuration files, and documentation without any PoC or vulnerability details.

Description

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2019-0201-zookeeper-vulnerable

View Code ZIP pw:eip

This repository appears to be a fork or snapshot of the Apache ZooKeeper project but does not contain any exploit code or technical analysis related to CVE-2019-0201. It includes standard ZooKeeper build scripts, configuration files, and documentation without any PoC or vulnerability details.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache ZooKeeper

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-0201-zookeeper-vulnerable

View Code ZIP pw:eip

This repository appears to be a fork or snapshot of the Apache ZooKeeper project without any specific exploit code or analysis for CVE-2019-0201. It contains standard ZooKeeper build scripts, configuration files, and documentation but lacks any proof-of-concept exploit or technical writeup related to the vulnerability.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache ZooKeeper

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (20)

Core 20

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/108427

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2019/dsa-4461

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/Jun/13

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:3140

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:3892

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:4352

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2020.html

Issue Tracking, Patch, Vendor Advisory x_refsource_misc

https://issues.apache.org/jira/browse/ZOOKEEPER-1392

Vendor Advisory x_refsource_confirm

https://zookeeper.apache.org/security.html#CVE-2019-0201

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20190619-0001/

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E

Scores

CVSS v3 5.9

EPSS 0.0021

EPSS Percentile 44.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-862

Status published

Products (17)

apache/activemq 5.15.9

apache/drill 1.16.0

apache/zookeeper 3.5.0 (3 CPE variants)

apache/zookeeper 3.5.1 (7 CPE variants)

apache/zookeeper 3.5.2 (4 CPE variants)

apache/zookeeper 3.5.3 (4 CPE variants)

apache/zookeeper 3.5.4 beta

apache/zookeeper 1.0.0 - 3.4.13

debian/debian_linux 8.0

debian/debian_linux 9.0

... and 7 more

Published May 23, 2019

Tracked Since Feb 18, 2026