CVE-2018-8012

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Zookeeper
Vendor: CVE Published:; 21 May 2018

Summary

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Affected Version(s)

Apache ZooKeeper Apache ZooKeeper prior to 3.4.10, Apache ZooKeeper 3.5.0-alpha through 3.5.3-beta

References

https://www.debian.org/security/2018/dsa-4214

vendor-advisoryx_refsource_DEBIAN

http://www.securitytracker.com/id/1040948

vdb-entryx_refsource_SECTRACK

http://www.securityfocus.com/bid/104253

vdb-entryx_refsource_BID

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 21, 2018
Vulnerability Reserved
Mar 9, 2018

.