Thanks, Andor. Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status is still OPEN and there is no PR link there.
https://issues.apache.org/jira/browse/ZOOKEEPER-4799 We are in 3.7.2 and may need to patch it ourselves. Best, Li On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org> wrote: > Severity: critical > > Affected versions: > > - Apache ZooKeeper 3.9.0 through 3.9.1 > - Apache ZooKeeper 3.8.0 through 3.8.3 > - Apache ZooKeeper 3.6.0 through 3.7.2 > > Description: > > Information disclosure in persistent watchers handling in Apache ZooKeeper > due to missing ACL check. It allows an attacker to monitor child znodes by > attaching a persistent watcher (addWatch command) to a parent which the > attacker has already access to. ZooKeeper server doesn't do ACL check when > the persistent watcher is triggered and as a consequence, the full path of > znodes that a watch event gets triggered upon is exposed to the owner of > the watcher. It's important to note that only the path is exposed by this > vulnerability, not the data of znode, but since znode path can contain > sensitive information like user name or login ID, this issue is potentially > critical. > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the > issue. > > Credit: > > 周吉安(寒泉) <zhoujian....@alibaba-inc.com> (reporter) > > References: > > https://zookeeper.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2024-23944 > >
