Source: zookeeper Version: 3.9.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for zookeeper. CVE-2024-23944[0]: | Information disclosure in persistent watchers handling in Apache | ZooKeeper due to missing ACL check. It allows an attacker to monitor | child znodes by attaching a persistent watcher (addWatch command) to | a parent which the attacker has already access to. ZooKeeper server | doesn't do ACL check when the persistent watcher is triggered and as | a consequence, the full path of znodes that a watch event gets | triggered upon is exposed to the owner of the watcher. It's | important to note that only the path is exposed by this | vulnerability, not the data of znode, but since znode path can | contain sensitive information like user name or login ID, this issue | is potentially critical. Users are recommended to upgrade to | version 3.9.2, 3.8.4 which fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-23944 https://www.cve.org/CVERecord?id=CVE-2024-23944 [1] https://www.openwall.com/lists/oss-security/2024/03/14/2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore