[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handli
From:       Andor Molnar <andor () apache ! org>
Date:       2024-03-14 15:52:52
Message-ID: 4b40fc91-a70e-5422-1099-49e992eafdde () apache ! org
[Download RAW message or body]

Severity: critical

Affected versions:

- Apache ZooKeeper 3.9.0 through 3.9.1
- Apache ZooKeeper 3.8.0 through 3.8.3
- Apache ZooKeeper 3.6.0 through 3.7.2

Description:

Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL \
check. It allows an attacker to monitor child znodes by attaching a persistent watcher \
(addWatch command) to a parent which the attacker has already access to. ZooKeeper server \
doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full \
path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. \
It's important to note that only the path is exposed by this vulnerability, not the data of \
znode, but since znode path can contain sensitive information like user name or login ID, this \
issue is potentially critical.

Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.

Credit:

周吉安(寒泉) <zhoujian.zja@alibaba-inc.com> (reporter)

References:

https://zookeeper.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-23944


[prev in list] [next in list] [prev in thread] [next in thread]