(zookeeper) branch website updated: CVE-2024-23944

andor Thu, 14 Mar 2024 09:05:39 -0700

This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch website
in repository https://gitbox.apache.org/repos/asf/zookeeper.git



The following commit(s) were added to refs/heads/website by this push:
     new 97a42d6f3 CVE-2024-23944
97a42d6f3 is described below

commit 97a42d6f3dddf94d013343929e2c21ecdd02f275
Author: Andor Molnar <[email protected]>
AuthorDate: Thu Mar 14 11:05:11 2024 -0500

    CVE-2024-23944
---
 src/main/resources/markdown/security.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/main/resources/markdown/security.md 
b/src/main/resources/markdown/security.md
index 9bde188df..c94d5b41d 100644
--- a/src/main/resources/markdown/security.md
+++ b/src/main/resources/markdown/security.md
@@ -30,6 +30,7 @@ their <a href="https://www.apache.org/security/";>Web page</a> 
for more informati
 
 ## Vulnerability reports
 
+* [CVE-2024-23944: Information disclosure in persistent watcher 
handling](#CVE-2024-23944)
 * [CVE-2023-44981: Authorization bypass in SASL Quorum Peer 
Authentication](#CVE-2023-44981)
 * [CVE-2019-0201: Information disclosure vulnerability in Apache 
ZooKeeper](#CVE-2019-0201)
 * [CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual 
authentication](#CVE-2018-8012)
@@ -37,6 +38,34 @@ their <a href="https://www.apache.org/security/";>Web 
page</a> for more informati
 * [CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli 
shell](#CVE-2016-5017)
 
 
+<a name="CVE-2024-23944"></a>
+### CVE-2024-23944: Information disclosure in persistent watcher handling
+
+Severity: critical
+
+Affected versions:
+
+- Apache ZooKeeper 3.9.0 through 3.9.1
+- Apache ZooKeeper 3.8.0 through 3.8.3
+- Apache ZooKeeper 3.6.0 through 3.7.2
+
+Description:
+
+Information disclosure in persistent watchers handling in Apache ZooKeeper due 
to missing ACL check. It allows an attacker to monitor child znodes by 
attaching a persistent watcher (addWatch command) to a parent which the 
attacker has already access to. ZooKeeper server doesn't do ACL check when the 
persistent watcher is triggered and as a consequence, the full path of znodes 
that a watch event gets triggered upon is exposed to the owner of the watcher. 
It's important to note that only t [...]
+
+Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
+
+Credit:
+
+周吉安(寒泉) <[email protected]> (reporter)
+
+References:
+
+[https://zookeeper.apache.org/](https://zookeeper.apache.org/)
+[https://www.cve.org/CVERecord?id=CVE-2024-23944](https://www.cve.org/CVERecord?id=CVE-2024-23944)
+
+
+
 <a name="CVE-2023-44981"></a>
 ### CVE-2023-44981: Authorization bypass in SASL Quorum Peer Authentication

(zookeeper) branch website updated: CVE-2024-23944

Reply via email to