Source: influxdb Version: 1.6.4-2 Severity: grave Tags: security upstream Forwarded: https://github.com/influxdata/influxdb/issues/12927 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.6.4-1 Control: found -1 1.0.2+dfsg1-1 Control: fixed -1 1.1.1+dfsg1-4+deb9u1
Hi, The following vulnerability was published for influxdb. CVE-2019-20933[0]: | InfluxDB before 1.7.6 has an authentication bypass vulnerability in | the authenticate function in services/httpd/handler.go because a JWT | token may have an empty SharedSecret (aka shared secret). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-20933 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20933 [1] https://github.com/influxdata/influxdb/issues/12927 [2] https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0 Regards, Salvatore