UBUNTU-CVE-2018-8012
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 21 May 2018, 19:29
Last modified:22 Apr 2026, 12:04
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
21 May 2018, 19:29
Published
Vulnerability first disclosed
22 Apr 2026, 12:04
Last Modified
Vulnerability information updated
Description
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Systems
- ubuntu•zookeeper
all | < 3.4.8-1ubuntu0.1~esm1
References (8)
- https://ubuntu.com/security/CVE-2018-8012
- https://issues.apache.org/jira/browse/ZOOKEEPER-1045
- http://www.openwall.com/lists/oss-security/2018/05/21/6
- https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
- https://issues.apache.org/jira/secure/attachment/12840904/ZOOKEEPER-1045-br-3-4.patch
- https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E
- https://ubuntu.com/security/notices/USN-4789-1
- https://www.cve.org/CVERecord?id=CVE-2018-8012