Improper Authorization Affecting github.com/cockroachdb/cockroach/pkg/server package, versions <19.1


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMCOCKROACHDBCOCKROACHPKGSERVER-536001
  • published27 Nov 2019
  • disclosed19 Nov 2019
  • creditkena

Introduced: 19 Nov 2019

CVE NOT AVAILABLE CWE-285  (opens in a new tab)

How to fix?

Upgrade github.com/cockroachdb/cockroach/pkg/server to version 19.1 or higher.

Overview

github.com/cockroachdb/cockroach/pkg/server is an open source, cloud-native SQL database.

Affected versions of this package are vulnerable to Improper Authorization. A non-admin authenticated user can call any admin endpoint, even if they should be admin-only operations, as long as the endpoint is visible over HTTP. It makes it possible for non-admin users to shut down a node or view SQL objects on which they have no permission.

CVSS Base Scores

version 3.1