This is an automated email from the ASF dual-hosted git repository.
andor pushed a commit to branch website
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/website by this push:
new 0cd6648d0 Updated website content for CVE-2024-51504
0cd6648d0 is described below
commit 0cd6648d08fea33aeec1e1421731844380443f8c
Author: Andor Molnar <an...@cloudera.com>
AuthorDate: Wed Nov 6 11:18:44 2024 -0600
Updated website content for CVE-2024-51504
---
src/main/resources/markdown/security.md | 39 +++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/src/main/resources/markdown/security.md
b/src/main/resources/markdown/security.md
index c94d5b41d..286949b4f 100644
--- a/src/main/resources/markdown/security.md
+++ b/src/main/resources/markdown/security.md
@@ -30,6 +30,7 @@ their <a href="https://www.apache.org/security/";>Web page</a>
for more informati
## Vulnerability reports
+* [CVE-2024-51504: Authentication bypass with IP-based authentication in Admin
Server](#CVE-2024-51504)
* [CVE-2024-23944: Information disclosure in persistent watcher
handling](#CVE-2024-23944)
* [CVE-2023-44981: Authorization bypass in SASL Quorum Peer
Authentication](#CVE-2023-44981)
* [CVE-2019-0201: Information disclosure vulnerability in Apache
ZooKeeper](#CVE-2019-0201)
@@ -38,6 +39,44 @@ their <a href="https://www.apache.org/security/";>Web
page</a> for more informati
* [CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli
shell](#CVE-2016-5017)
+<a name="CVE-2024-51504"></a>
+### CVE-2024-51504: Authentication bypass with IP-based authentication in
Admin Server
+
+Severity: important
+
+Affected versions:
+
+- Apache ZooKeeper 3.9.0 before 3.9.3
+
+Description:
+
+When using IPAuthenticationProvider in ZooKeeper Admin Server there is
+a possibility of Authentication Bypass by Spoofing -- this only impacts
+IP based authentication implemented in ZooKeeper Admin Server. Default
+configuration of client's IP address detection
+in IPAuthenticationProvider, which uses HTTP request headers, is
+weak and allows an attacker to bypass authentication via spoofing
+client's IP address in request headers. Default configuration honors X-
+Forwarded-For HTTP header to read client's IP address. X-Forwarded-For
+request header is mainly used by proxy servers to identify the client
+and can be easily spoofed by an attacker pretending that the request
+comes from a different IP address. Admin Server commands, such as
+snapshot and restore arbitrarily can be executed on successful
+exploitation which could potentially lead to information leakage or
+service availability issues. Users are recommended to upgrade to
+version 3.9.3, which fixes this issue.
+
+Credit:
+
+4ra1n (reporter)
+Y4tacker (reporter)
+
+References:
+
+[https://zookeeper.apache.org/](https://zookeeper.apache.org/)
+[https://www.cve.org/CVERecord?id=CVE-2024-51504](https://www.cve.org/CVERecord?id=CVE-2024-51504)
+
+
<a name="CVE-2024-23944"></a>
### CVE-2024-23944: Information disclosure in persistent watcher handling
