SB2019082234 - Missing authentication in Sphinx
Published: August 22, 2019 Updated: January 11, 2022
Security Bulletin ID
SB2019082234
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Missing Authentication for Critical Function (CVE-ID: CVE-2019-14511)
The vulnerability allows a remote attacker to gain unauthorized access to the database.
The vulnerability exists due to insecure default configuration in which Sphinx listens on 0.0.0.0 and does not require authentication to be configured. A remote non-authenticated attacker can simply connect to the database and gain full access to information.
Remediation
Install update from vendor's website.
References
- http://sphinxsearch.com/docs/sphinx3.html#getting-started-on-linux-and-macos
- https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FPPNZZMWTZOMFGFETMET6YKIH2DQDKS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XD25JJJVM7FFXAO2L3ZG2KXQ6UMFBIA4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSLPW44RWIGHU5AG3P4U2HPSD3UBG4GJ/
- https://sphinxsearch.com/blog/