CVE-2019-20933

CRITICAL EXPLOITED NUCLEI

InfluxDB <1.7.6 - Auth Bypass

Title source: llm

Description

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

Exploits (2)

nomisec WORKING POC 42 stars

by LorenzoTullini · remote

https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by Hydragyrum · remote

https://github.com/Hydragyrum/CVE-2019-20933

View Code ZIP pw:eip

Nuclei Templates (1)

InfluxDB <1.7.6 - Authentication Bypass

CRITICALVERIFIEDby pussycat0x,c-sh0

Shodan: InfluxDB || http.title:"influxdb - admin interface" || influxdb

FOFA: title="influxdb - admin interface"

References (5)

[Patch, Third Party Advisory] https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0

[Patch, Third Party Advisory] https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6

[Issue Tracking, Third Party Advisory] https://github.com/influxdata/influxdb/issues/12927

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html

[Third Party Advisory] https://www.debian.org/security/2021/dsa-4823

Scores

CVSS v3 9.8

EPSS 0.9397

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-11-29

CWE

CWE-287

Status published

Products (4)

debian/debian_linux 9.0

debian/debian_linux 10.0

influxdata/influxdb < 1.7.6

influxdata/influxdb 0 - 1.7.6Go

Published Nov 19, 2020

Tracked Since Feb 18, 2026