CVE-2019-20933 – CVE-2019-20933 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2019-20933?

CVE-2019-20933 has a CVSS score of 9.8 (CRITICAL). CVE-2019-20933 is an authentication bypass vulnerability in InfluxDB where JWT tokens with empty shared secrets are incorrectly accepted as valid. This allows attackers to bypass authentication and gain unauthorized access to the database. All InfluxDB instances before version 1.7.6 with authentication enabled are affected.

📋 TL;DR

CVE-2019-20933 is an authentication bypass vulnerability in InfluxDB where JWT tokens with empty shared secrets are incorrectly accepted as valid. This allows attackers to bypass authentication and gain unauthorized access to the database. All InfluxDB instances before version 1.7.6 with authentication enabled are affected.

💻 Affected Systems

Products:

InfluxDB

Versions: All versions before 1.7.6

Operating Systems: All platforms running InfluxDB

Default Config Vulnerable: ✅ No

Notes: Only affects instances with authentication enabled (auth-enabled = true in influxdb.conf). Default installations have authentication disabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the InfluxDB instance allowing attackers to read, modify, or delete all data, execute arbitrary queries, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized data access and manipulation, exposure of sensitive metrics and time-series data, potential data exfiltration or corruption.

🟢

If Mitigated

Limited impact if network segmentation and additional authentication layers prevent access, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exploitable without authentication.

🏢 Internal Only: HIGH - Internal instances are still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted JWT tokens with empty shared secrets. Public proof-of-concept code exists in GitHub issues and security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.6 and later

Vendor Advisory: https://github.com/influxdata/influxdb/security/advisories/GHSA-23hq-gwv9-8hvr

Restart Required: Yes

Instructions:

1. Backup your InfluxDB data and configuration. 2. Stop the InfluxDB service. 3. Upgrade to InfluxDB 1.7.6 or later using your package manager or download from influxdata.com. 4. Restart the InfluxDB service. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable authentication

all

Temporarily disable authentication if patching is not immediately possible (NOT RECOMMENDED for production)

Set auth-enabled = false in influxdb.conf and restart influxdb

Network isolation

linux

Restrict network access to InfluxDB to only trusted sources

Use firewall rules: iptables -A INPUT -p tcp --dport 8086 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8086 -j DROP

🧯 If You Can't Patch

Implement network segmentation and firewall rules to restrict access to InfluxDB only from authorized systems
Add an additional authentication layer (reverse proxy with authentication, VPN, or API gateway)

🔍 How to Verify

Check if Vulnerable:

Check InfluxDB version: influx -version. If version is below 1.7.6 and authentication is enabled, the system is vulnerable.

Check Version:

influx -version 2>/dev/null | head -1 || influxd version

Verify Fix Applied:

After upgrade, verify version is 1.7.6 or higher: influx -version. Test authentication with valid and invalid credentials.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful access
Unusual query patterns from unexpected sources
Authentication logs showing empty or malformed JWT tokens

Network Indicators:

HTTP requests to /query or /write endpoints without proper authentication headers
Traffic to InfluxDB port 8086 from unexpected sources

SIEM Query:

source="influxdb.log" AND ("authentication failed" NEAR "query") OR ("JWT" AND "empty")

📊 Metadata

CVE ID: CVE-2019-20933

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: November 19, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0 Patch,Third Party Advisory
https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6 Patch,Third Party Advisory
https://github.com/influxdata/influxdb/issues/12927 Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html Mailing List,Third Party Advisory
https://www.debian.org/security/2021/dsa-4823 Third Party Advisory
https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0 Patch,Third Party Advisory
https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6 Patch,Third Party Advisory
https://github.com/influxdata/influxdb/issues/12927 Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html Mailing List,Third Party Advisory
https://www.debian.org/security/2021/dsa-4823 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-20933, you might also want to check these: