Critical severityNVD Advisory· Published Nov 19, 2020· Updated Aug 5, 2024
CVE-2019-20933
CVE-2019-20933
Description
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
InfluxDB before 1.7.6 allows authentication bypass via JWT tokens with an empty shared secret, granting unauthorized administrative access.
Vulnerability
CVE-2019-20933 is an authentication bypass vulnerability in InfluxDB versions prior to 1.7.6. The flaw resides in the authenticate function within services/httpd/handler.go. When a JSON Web Token (JWT) is supplied with an empty SharedSecret (shared secret), the authentication check is improperly bypassed, allowing an attacker to forge valid tokens without knowing the correct secret. [1][2]
Exploitation
An attacker can exploit this vulnerability by crafting a JWT with an empty secret and presenting it to the InfluxDB HTTP API. No prior authentication or special network position is required—the attacker only needs network access to the InfluxDB endpoint. Tools such as jwt_tool can be used to generate tokens with an empty signature, simplifying exploitation. [3][4]
Impact
Successful exploitation grants the attacker unauthenticated access to InfluxDB with full administrative privileges (typically the admin user). This enables reading, writing, or deleting any database, creating new users, and modifying system configurations. The vulnerability poses a critical risk to data confidentiality, integrity, and availability.
Mitigation
The issue was fixed in InfluxDB version 1.7.6. Users must upgrade to this version or later. No workarounds are available for affected versions. Administrators should also review access logs for signs of unauthorized activity. [2][3]
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/influxdata/influxdbGo | < 1.7.6 | 1.7.6 |
Affected products
67- InfluxDB/InfluxDBdescription
- ghsa-coords66 versionspkg:golang/github.com/influxdata/influxdbpkg:rpm/suse/ardana-cassandra&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-ironic-python-agent&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-ironic-python-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-pytest&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-pytest&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/spark&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/spark&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209
< 1.7.6+ 65 more
- (no CPE)range: < 1.7.6
- (no CPE)range: < 9.0+git.1600802664.7e480a2-3.6.2
- (no CPE)range: < 9.0+git.1605174486.a78ddce-3.19.2
- (no CPE)range: < 9.0+git.1601621747.a87e5a0-3.22.2
- (no CPE)range: < 9.0+git.1603378983.fc0bca9-3.19.2
- (no CPE)range: < 6.0+git.1606314264.bf9ada813-3.31.2
- (no CPE)range: < 4.0+git.1604938545.30c10db18-9.77.1
- (no CPE)range: < 6.0+git.1604573541.bb18c172d-3.28.3
- (no CPE)range: < 6.7.4-1.20.1
- (no CPE)range: < 6.7.4-3.20.1
- (no CPE)range: < 6.7.4-3.20.1
- (no CPE)range: < 1.2.4-5.1
- (no CPE)range: < 1.3.8-4.3.3
- (no CPE)range: < 1.3.8-4.3.3
- (no CPE)range: < 13.0.10~dev20-3.28.2
- (no CPE)range: < 13.0.10~dev20-3.28.2
- (no CPE)range: < 11.0.4~dev4-3.19.2
- (no CPE)range: < 11.0.4~dev4-3.19.2
- (no CPE)range: < 12.0.1~dev2-3.3.4
- (no CPE)range: < 12.0.1~dev2-3.3.4
- (no CPE)range: < 0.0.0+git.1605509190.64f020b6-3.9.3
- (no CPE)range: < 0.0.0+git.1605509190.64f020b6-3.9.3
- (no CPE)range: < 12.0.1~dev3-3.3.4
- (no CPE)range: < 12.0.1~dev3-3.3.4
- (no CPE)range: < 3.3.4~dev6-3.19.4
- (no CPE)range: < 3.3.4~dev6-3.19.4
- (no CPE)range: < 7.4.2~dev57-4.30.2
- (no CPE)range: < 7.4.2~dev57-4.30.2
- (no CPE)range: < 13.0.8~dev135-3.31.2
- (no CPE)range: < 13.0.8~dev135-3.31.2
- (no CPE)range: < 12.0.1~dev5-3.19.4
- (no CPE)range: < 12.0.1~dev5-3.19.4
- (no CPE)range: < 13.0.2~dev6-3.9.2
- (no CPE)range: < 13.0.2~dev6-3.9.2
- (no CPE)range: < 18.3.1~dev77-3.31.2
- (no CPE)range: < 18.3.1~dev77-3.31.2
- (no CPE)range: < 2.10.1-3.3.3
- (no CPE)range: < 2.10.1-3.3.3
- (no CPE)range: < 4.5.0-4.3.3
- (no CPE)range: < 4.5.0-4.3.3
- (no CPE)range: < 3.7.4-3.3.3
- (no CPE)range: < 3.7.4-3.3.3
- (no CPE)range: < 1.16-3.12.1
- (no CPE)range: < 1.23-3.15.3
- (no CPE)range: < 1.23-3.15.3
- (no CPE)range: < 9.20200917-3.24.3
- (no CPE)range: < 9.20200917-3.24.3
- (no CPE)range: < 2.2.3-5.3.3
- (no CPE)range: < 2.2.3-5.3.3
- (no CPE)range: < 7.0.1~dev24-3.21.2
- (no CPE)range: < 13.0.10~dev20-3.24.2
- (no CPE)range: < 7.0.2~dev2-3.21.2
- (no CPE)range: < 17.0.1~dev30-3.19.2
- (no CPE)range: < 11.0.4~dev4-3.21.2
- (no CPE)range: < 14.1.1~dev7-4.23.2
- (no CPE)range: < 11.1.5~dev16-4.19.2
- (no CPE)range: < 14.2.1~dev4-3.21.2
- (no CPE)range: < 7.2.1~dev1-4.21.2
- (no CPE)range: < 7.4.2~dev57-3.25.2
- (no CPE)range: < 1.8.2~dev3-3.21.2
- (no CPE)range: < 2.7.1~dev10-3.19.2
- (no CPE)range: < 13.0.8~dev135-6.23.2
- (no CPE)range: < 18.3.1~dev77-3.23.2
- (no CPE)range: < 3.2.3~dev7-4.21.2
- (no CPE)range: < 9.0.2~dev15-3.21.2
- (no CPE)range: < 2.19.2~dev48-2.16.2
Patches
201c8dd416270chore(doc): Update CHANGELOG (#13445)
1 file changed · +16 −2
CHANGELOG.md+16 −2 modified@@ -1,11 +1,25 @@ -v1.7.6 [unreleased] +v1.7.7 [unreleased] ------------------- -- [#13167](https://github.com/influxdata/influxdb/pull/13168): Track prom remote read request stats. +v1.7.6 [2019-04-16] +------------------- ### Bugfixes +- [#13067](https://github.com/influxdata/influxdb/pull/13067): Ensure credentials are passed for Flux queries when using influx command. +- [#13098](https://github.com/influxdata/influxdb/pull/13098): Back port of data generate improvements. +- [#13132](https://github.com/influxdata/influxdb/pull/13132): Fix security vulnerability when shared secret is blank. - [#13150](https://github.com/influxdata/influxdb/pull/13150): Add nil check for tagKeyValueEntry.setIDs(). +- [#13160](https://github.com/influxdata/influxdb/pull/13160): Drop all unsupported Prometheus values written to the remote write endpoint. +- [#13206](https://github.com/influxdata/influxdb/pull/13206): Update predicate key mapping to match 2.x behavior. +- [#13330](https://github.com/influxdata/influxdb/pull/13330): Fix panic in Prometheus read API. +- [#13338](https://github.com/influxdata/influxdb/pull/13338): Add a version constraint for influxql. + +### Features + +- [#13049](https://github.com/influxdata/influxdb/pull/13049): Upgrade flux to the latest version and remove the platform dependency. +- [#13121](https://github.com/influxdata/influxdb/pull/13121): Upgrade flux to 0.24.0. +- [#13168](https://github.com/influxdata/influxdb/pull/13168): track remote read requests to prometheus remote read handler. v1.7.5 [2019-03-26] -------------------
761b557315fffix(httpd): fail bearerauth if shared secret blank
2 files changed · +23 −0
services/httpd/handler.go+5 −0 modified@@ -1581,6 +1581,11 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, meta.User), h * return } case BearerAuthentication: + if h.Config.SharedSecret == "" { + atomic.AddInt64(&h.stats.AuthenticationFailures, 1) + h.httpError(w, "bearer auth disabled", http.StatusUnauthorized) + return + } keyLookupFn := func(token *jwt.Token) (interface{}, error) { // Check for expected signing method. if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
services/httpd/handler_test.go+18 −0 modified@@ -232,6 +232,24 @@ func TestHandler_Query_Auth(t *testing.T) { t.Fatalf("unexpected body: %s", body) } + // Test that auth fails if shared secret is blank. + origSecret := h.Config.SharedSecret + h.Config.SharedSecret = "" + token, _ = MustJWTToken("user1", h.Config.SharedSecret, false) + signedToken, err = token.SignedString([]byte(h.Config.SharedSecret)) + if err != nil { + t.Fatal(err) + } + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", signedToken)) + w = httptest.NewRecorder() + h.ServeHTTP(w, req) + if w.Code != http.StatusUnauthorized { + t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String()) + } else if body := strings.TrimSpace(w.Body.String()); body != `{"error":"bearer auth disabled"}` { + t.Fatalf("unexpected body: %s", body) + } + h.Config.SharedSecret = origSecret + // Test the handler with valid user and password in the url and invalid in // basic auth (prioritize url). w = httptest.NewRecorder()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-2rmp-fw5r-j5qvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-20933ghsaADVISORY
- www.debian.org/security/2021/dsa-4823ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0ghsax_refsource_MISCWEB
- github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6ghsax_refsource_MISCWEB
- github.com/influxdata/influxdb/issues/12927ghsax_refsource_MISCWEB
- github.com/ticarpi/jwt_tool/blob/a6ca3e0524a204b5add070bc6874cb4e7e5a9864/jwt_tool.pyghsaWEB
- lists.debian.org/debian-lts-announce/2020/12/msg00030.htmlghsamailing-listx_refsource_MLISTWEB
- pkg.go.dev/github.com/influxdata/influxdb/services/httpdghsaPACKAGE
News mentions
0No linked articles in our index yet.