Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:45909
HistoryMar 18, 2024 - 7:08 a.m.

Sensitive Information Disclosure

2024-03-1807:08:30
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
12
sensitive information disclosure
acl checks
child znodes
persistent watcher
access control

AI Score

6.7

Confidence

High

EPSS

0

Percentile

9.0%

Apache ZooKeeper is vulnerable to Sensitive Information Disclosure. The vulnerability is due to missing ACL checks in the persistent watcher feature. An attackers can monitor child znodes by attaching a persistent watcher to a parent node they already have access to. When the persistent watcher is triggered, ZooKeeper server doesn’t perform ACL check, exposing the full path of znodes to the watcher’s owner.

Affected configurations

Vulners
Node
veracodeapache_zookeeper_-_serverRange3.8.33.8.3
OR
veracodeapache_zookeeper_-_serverRange3.9.13.9.1
OR
veracodeapache_zookeeper_-_serverRange3.7.23.7.2
OR
veracodezookeeper\Matchsid3.4.13-6
OR
veracodezookeeper\Matchsid3.4.13-5
OR
veracodeapache_zookeeper_-_serverRange3.8.33.8.3
OR
veracodeapache_zookeeper_-_serverRange3.9.13.9.1
OR
veracodeapache_zookeeper_-_serverRange3.7.23.7.2
OR
veracodezookeeper\Matchsid3.4.13-6
OR
veracodezookeeper\Matchsid3.4.13-5
VendorProductVersionCPE
veracodeapache_zookeeper_-_server*cpe:2.3:a:veracode:apache_zookeeper_-_server:*:*:*:*:*:*:*:*
veracodezookeeper\sidcpe:2.3:a:veracode:zookeeper\:sid:3.4.13-6:*:*:*:*:*:*:*
veracodezookeeper\sidcpe:2.3:a:veracode:zookeeper\:sid:3.4.13-5:*:*:*:*:*:*:*