Apache Accumulo security advisories

Security information for Apache Accumulo

Reporting

Do you want disclose a potential security issue for Apache Accumulo? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Accumulo 2.1.0 may incorrectly validate cached credentials

CVE-2023-34340 [CVE] [CVE json] [OSV json]

Last updated: 2023-06-21T07:01:43.546Z

Affected

  • Apache Accumulo from 2.1.0 before 2.1.1

Description

Improper Authentication vulnerability in Apache Software Foundation Apache Accumulo.

This issue affects Apache Accumulo: 2.1.0.

Accumulo 2.1.0 contains a defect in the user authentication process that may succeed when invalid credentials are provided. Users are advised to upgrade to 2.1.1.

References

Apache Accumulo Improper Handling of Insufficient Permissions

CVE-2020-17533 [CVE] [CVE json] [OSV json]

Last updated: 2024-01-31T09:33:16.054Z

Affected

  • Apache Accumulo at 2.0.0
  • Apache Accumulo from 1.5.0 before Apache Accumulo*

Description

Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the ‘canFlush’ and ‘canPerformSystemActions’ security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide Accumulo configuration properties.

References