DescriptionAn issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Overall state of this security issue: Running
This issue is currently rated as having important severity.
|National Vulnerability Database|
|National Vulnerability Database||SUSE|
- SUSE-SU-2020:1066-1, published Wed Apr 22 10:14:00 MDT 2020
- SUSE-SU-2020:1190-1, published Tue May 5 10:32:42 MDT 2020
List of released packages
|Product(s)||Fixed package version(s)||References|
|HPE Helion Openstack 8|| ||Patchnames:
|SUSE OpenStack Cloud 8|| ||Patchnames:
|SUSE OpenStack Cloud 9|| ||Patchnames:
|SUSE OpenStack Cloud Crowbar 8|| ||Patchnames:
|SUSE OpenStack Cloud Crowbar 9|| ||Patchnames:
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.
|HPE Helion OpenStack 8||zookeeper||Released|
|SUSE Openstack Cloud 7||zookeeper||Affected|
|SUSE Openstack Cloud 8||zookeeper||Released|
|SUSE Openstack Cloud 9||zookeeper||Released|