An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to
3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when
retrieves the ACLs of the requested node and returns all information
contained in the ACL Id field as plaintext string.
DigestAuthenticationProvider overloads the Id field with the hash value
that is used for user authentication. As a consequence, if Digest
Authentication is in use, the unsalted hash value will be disclosed by
getACL() request for unauthenticated or unprivileged users.
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 18.10 (Cosmic Cuttlefish):ignored (reached end-of-life)
Ubuntu 19.04 (Disco Dingo):needs-triage
Ubuntu 19.10 (Eoan):needs-triage
More Information

Updated: 2019-07-18 17:39:25 UTC (commit 649f8c6455205380e35ed054e9ea734222c716bb)