Lucene search

K
cveApacheCVE-2018-8012
HistoryMay 21, 2018 - 7:29 p.m.

CVE-2018-8012

2018-05-2119:29:00
CWE-862
apache
web.nvd.nist.gov
96
2
cve-2018-8012
apache zookeeper
authentication
authorization
server join
cluster security
nvd

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.3

Confidence

High

EPSS

0.004

Percentile

74.0%

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Affected configurations

Nvd
Vulners
Node
apachezookeeperRange<3.4.10
OR
apachezookeeperRange3.5.03.5.3
OR
apachezookeeperMatch3.5.0alpha
OR
apachezookeeperMatch3.5.3beta
Node
debiandebian_linuxMatch8.0
OR
debiandebian_linuxMatch9.0
Node
oraclegoldengate_stream_analyticsRange<19.1.0.0.1
VendorProductVersionCPE
apachezookeeper*cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*
apachezookeeper3.5.0cpe:2.3:a:apache:zookeeper:3.5.0:alpha:*:*:*:*:*:*
apachezookeeper3.5.3cpe:2.3:a:apache:zookeeper:3.5.3:beta:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
oraclegoldengate_stream_analytics*cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "Apache ZooKeeper",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "Apache ZooKeeper prior to 3.4.10, Apache ZooKeeper 3.5.0-alpha through 3.5.3-beta"
      }
    ]
  }
]

References

Social References

More

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.3

Confidence

High

EPSS

0.004

Percentile

74.0%