Apache ZooKeeper is vulnerable to Sensitive Information Disclosure. The vulnerability is due to missing ACL checks in the persistent watcher feature. An attackers can monitor child znodes by attaching a persistent watcher to a parent node they already have access to. When the persistent watcher is triggered, ZooKeeper server doesn’t perform ACL check, exposing the full path of znodes to the watcher’s owner.
Vendor | Product | Version | CPE |
---|---|---|---|
veracode | apache_zookeeper_-_server | * | cpe:2.3:a:veracode:apache_zookeeper_-_server:*:*:*:*:*:*:*:* |
veracode | zookeeper\ | sid | cpe:2.3:a:veracode:zookeeper\:sid:3.4.13-6:*:*:*:*:*:*:* |
veracode | zookeeper\ | sid | cpe:2.3:a:veracode:zookeeper\:sid:3.4.13-5:*:*:*:*:*:*:* |
www.openwall.com/lists/oss-security/2024/03/14/2
github.com/advisories/GHSA-r978-9m6m-6gm6
github.com/apache/zookeeper/commit/29c7b9462681f47c2ac12e609341cf9f52abac5c
github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d
github.com/apache/zookeeper/commit/daf7cfd04005cff1a4f7cab5ab13d41db88d0cd8
lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79k