Lucene search

K
redosRedosROS-20240815-05
HistoryAug 15, 2024 - 12:00 a.m.

ROS-20240815-05

2024-08-1500:00:00
redos.red-soft.ru
8
apache zookeeper
vulnerability
centralized service
configuration
naming
synchronization
group services
authentication
exploitation
remote access
authorization
security restrictions
batch mode syntax
confidentiality
integrity
unix

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.1

Confidence

Low

EPSS

0.045

Percentile

92.7%

A vulnerability in the centralized service for maintaining configuration information, naming, providing
Apache ZooKeeper’s centralized service for maintaining configuration information and naming, providing distributed synchronization, and providing group services is related to the lack of ACL checks when a persistent observer is triggered.
ACL checks when a persistent observer is triggered. Exploitation of the vulnerability could allow
An attacker acting remotely could gain access to sensitive information

Centralized service vulnerability for maintaining configuration information, naming, providing distributed synchronization and group provisioning.
distributed synchronization and provisioning of Apache ZooKeeper group services exists due to
Lack of authentication when joining a quorum. Exploitation of the vulnerability could allow
an attacker acting remotely to write arbitrary files to the operating system of a vulnerable
device

Vulnerability in the implementation of the wchp/wchc centralized service command to maintain configuration information,
naming, providing distributed synchronization and provisioning of Apache ZooKeeper group services
is related to a lack of authentication for a critical function. Exploitation of the vulnerability could allow
An attacker acting remotely to cause a denial of service

Vulnerability in the implementation of the getACL() command of a centralized service to maintain configuration information,
naming, providing distributed synchronization and provisioning of Apache ZooKeeper group services
is related to permission handling errors. Exploitation of the vulnerability could allow an attacker,
acting remotely, to expose certain hash function values

Vulnerability in the SASL Quorum Peer authentication function of a centralized service to support information about the
configuration, naming, providing distributed synchronization, and providing group services
Apache ZooKeeper is related to bypassing authorization through the use of a key controlled by the
by the user. Exploitation of the vulnerability could allow an attacker acting remotely to bypass security restrictions and gain read access.
security restrictions and gain access to read, modify, or delete data

Centralized service vulnerability to support configuration information, naming, providing
distributed synchronization, and provisioning of Apache ZooKeeper group services is related to the use of the
“cmd:” batch mode syntax. Exploitation of the vulnerability could allow an attacker acting
remotely to impact the confidentiality and integrity of the system

OSVersionArchitecturePackageVersionFilename
redos7.3x86_64zookeeper< 3.9.2-1UNKNOWN

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.1

Confidence

Low

EPSS

0.045

Percentile

92.7%