Vulnerability description
Apache Accumulo is a sorted distributed Key-Value storage application.
In version 2.1.0 of Apache Accumulo, AccumuloClient removes the automatic authentication mechanism when constructing a new instance, and authentication is always performed in the shell. When the shell has been idle for too long and authentication needs to be re-authenticated, since the identity credentials are stored in the configuration file of the client, any content entered by the user can pass the authentication.
vulnerability name | Flaws in the Apache Accumulo authentication process |
---|---|
Vulnerability type | improper authentication |
Discovery time | 2023/6/21 |
Vulnerability Breadth | generally |
MPS number | MPS-5l0p-exd9 |
CVE number | CVE-2023-34340 |
CNVD number | - |
Sphere of influence
org.apache.accumulation:accumulation-core@[2.1.0, 2.1.1)
Repair plan
Upgrade component org.apache.accumulo:accumulo-core to version 2.1.1 or higher
reference link
https://www.oscs1024.com/hd/MPS-5l0p-exd9
https://nvd.nist.gov/vuln/detail/CVE-2023-34340
https://github.com/apache/accumulo/commit/0f2389735fd32e0bbc93ecde5d8c814b275b21b5
https://github.com/apache/accumulo/issues/3433
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from companies such as Baidu, Huawei, and Wuyun. The company provides customers with a complete software supply chain security management platform, and provides security management for the entire software life cycle around SBOM. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj