Apache ZooKeeper: Information disclosure in persistent watcher handling
Description
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.
Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zookeeper:zookeeperMaven | >= 3.8.0, < 3.8.4 | 3.8.4 |
org.apache.zookeeper:zookeeperMaven | >= 3.9.0, < 3.9.2 | 3.9.2 |
org.apache.zookeeper:zookeeperMaven | >= 3.6.0, <= 3.7.2 | — |
Affected products
174- osv-coords173 versionspkg:apk/chainguard/confluent-common-dockerpkg:apk/chainguard/confluent-kafkapkg:apk/chainguard/hivepkg:apk/chainguard/hive-compatpkg:apk/chainguard/kafkapkg:apk/chainguard/kafka-bitnami-compatpkg:apk/chainguard/kafka-jre-bcfipspkg:apk/chainguard/solrpkg:apk/chainguard/solr-oci-compatpkg:apk/chainguard/spark-3.5pkg:apk/chainguard/spark-3.5-bitnami-compatpkg:apk/chainguard/spark-3.5-compatpkg:apk/chainguard/spark-3.5-minimal-openjdk-11pkg:apk/chainguard/spark-3.5-minimal-openjdk-17pkg:apk/chainguard/spark-3.5-minimal-openjdk-8pkg:apk/chainguard/spark-3.5-openjdk-11pkg:apk/chainguard/spark-3.5-openjdk-17pkg:apk/chainguard/spark-3.5-openjdk-8pkg:apk/chainguard/spark-3.5-scala-2.13pkg:apk/chainguard/tezpkg:apk/chainguard/trinopkg:apk/chainguard/trino-configpkg:apk/chainguard/trino-oci-entrypointpkg:apk/chainguard/trino-plugin-accumulopkg:apk/chainguard/trino-plugin-ai-functionspkg:apk/chainguard/trino-plugin-atoppkg:apk/chainguard/trino-plugin-bigquerypkg:apk/chainguard/trino-plugin-blackholepkg:apk/chainguard/trino-plugin-cassandrapkg:apk/chainguard/trino-plugin-clickhousepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-druidpkg:apk/chainguard/trino-plugin-duckdbpkg:apk/chainguard/trino-plugin-elasticsearchpkg:apk/chainguard/trino-plugin-example-httppkg:apk/chainguard/trino-plugin-exasolpkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-fakerpkg:apk/chainguard/trino-plugin-functions-pythonpkg:apk/chainguard/trino-plugin-geospatialpkg:apk/chainguard/trino-plugin-google-sheetspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-http-event-listenerpkg:apk/chainguard/trino-plugin-http-server-event-listenerpkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-ignitepkg:apk/chainguard/trino-plugin-jmxpkg:apk/chainguard/trino-plugin-kafkapkg:apk/chainguard/trino-plugin-kafka-event-listenerpkg:apk/chainguard/trino-plugin-kinesispkg:apk/chainguard/trino-plugin-kudupkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-ldap-group-providerpkg:apk/chainguard/trino-plugin-local-filepkg:apk/chainguard/trino-plugin-lokipkg:apk/chainguard/trino-plugin-mariadbpkg:apk/chainguard/trino-plugin-memorypkg:apk/chainguard/trino-plugin-mlpkg:apk/chainguard/trino-plugin-mongodbpkg:apk/chainguard/trino-plugin-mysqlpkg:apk/chainguard/trino-plugin-mysql-event-listenerpkg:apk/chainguard/trino-plugin-opapkg:apk/chainguard/trino-plugin-openlineagepkg:apk/chainguard/trino-plugin-opensearchpkg:apk/chainguard/trino-plugin-oraclepkg:apk/chainguard/trino-plugin-password-authenticatorspkg:apk/chainguard/trino-plugin-phoenix5pkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-postgresqlpkg:apk/chainguard/trino-plugin-prometheuspkg:apk/chainguard/trino-plugin-rangerpkg:apk/chainguard/trino-plugin-raptor-legacypkg:apk/chainguard/trino-plugin-redispkg:apk/chainguard/trino-plugin-redshiftpkg:apk/chainguard/trino-plugin-resource-group-managerspkg:apk/chainguard/trino-plugin-session-property-managerspkg:apk/chainguard/trino-plugin-singlestorepkg:apk/chainguard/trino-plugin-snowflakepkg:apk/chainguard/trino-plugin-spooling-filesystempkg:apk/chainguard/trino-plugin-sqlserverpkg:apk/chainguard/trino-plugin-teradata-functionspkg:apk/chainguard/trino-plugin-thriftpkg:apk/chainguard/trino-plugin-tpcdspkg:apk/chainguard/trino-plugin-tpchpkg:apk/chainguard/trino-plugin-verticapkg:apk/wolfi/confluent-common-dockerpkg:apk/wolfi/confluent-kafkapkg:apk/wolfi/kafkapkg:apk/wolfi/kafka-bitnami-compatpkg:apk/wolfi/solrpkg:apk/wolfi/solr-oci-compatpkg:apk/wolfi/spark-3.5pkg:apk/wolfi/spark-3.5-bitnami-compatpkg:apk/wolfi/spark-3.5-compatpkg:apk/wolfi/spark-3.5-minimal-openjdk-11pkg:apk/wolfi/spark-3.5-minimal-openjdk-17pkg:apk/wolfi/spark-3.5-minimal-openjdk-8pkg:apk/wolfi/spark-3.5-openjdk-11pkg:apk/wolfi/spark-3.5-openjdk-17pkg:apk/wolfi/spark-3.5-openjdk-8pkg:apk/wolfi/spark-3.5-scala-2.13pkg:apk/wolfi/tezpkg:apk/wolfi/trinopkg:apk/wolfi/trino-configpkg:apk/wolfi/trino-oci-entrypointpkg:apk/wolfi/trino-plugin-accumulopkg:apk/wolfi/trino-plugin-ai-functionspkg:apk/wolfi/trino-plugin-atoppkg:apk/wolfi/trino-plugin-bigquerypkg:apk/wolfi/trino-plugin-blackholepkg:apk/wolfi/trino-plugin-cassandrapkg:apk/wolfi/trino-plugin-clickhousepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-druidpkg:apk/wolfi/trino-plugin-duckdbpkg:apk/wolfi/trino-plugin-elasticsearchpkg:apk/wolfi/trino-plugin-example-httppkg:apk/wolfi/trino-plugin-exasolpkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-fakerpkg:apk/wolfi/trino-plugin-functions-pythonpkg:apk/wolfi/trino-plugin-geospatialpkg:apk/wolfi/trino-plugin-google-sheetspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-http-event-listenerpkg:apk/wolfi/trino-plugin-http-server-event-listenerpkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-ignitepkg:apk/wolfi/trino-plugin-jmxpkg:apk/wolfi/trino-plugin-kafkapkg:apk/wolfi/trino-plugin-kafka-event-listenerpkg:apk/wolfi/trino-plugin-kinesispkg:apk/wolfi/trino-plugin-kudupkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-ldap-group-providerpkg:apk/wolfi/trino-plugin-local-filepkg:apk/wolfi/trino-plugin-lokipkg:apk/wolfi/trino-plugin-mariadbpkg:apk/wolfi/trino-plugin-memorypkg:apk/wolfi/trino-plugin-mlpkg:apk/wolfi/trino-plugin-mongodbpkg:apk/wolfi/trino-plugin-mysqlpkg:apk/wolfi/trino-plugin-mysql-event-listenerpkg:apk/wolfi/trino-plugin-opapkg:apk/wolfi/trino-plugin-openlineagepkg:apk/wolfi/trino-plugin-opensearchpkg:apk/wolfi/trino-plugin-oraclepkg:apk/wolfi/trino-plugin-password-authenticatorspkg:apk/wolfi/trino-plugin-phoenix5pkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-postgresqlpkg:apk/wolfi/trino-plugin-prometheuspkg:apk/wolfi/trino-plugin-rangerpkg:apk/wolfi/trino-plugin-raptor-legacypkg:apk/wolfi/trino-plugin-redispkg:apk/wolfi/trino-plugin-redshiftpkg:apk/wolfi/trino-plugin-resource-group-managerspkg:apk/wolfi/trino-plugin-session-property-managerspkg:apk/wolfi/trino-plugin-singlestorepkg:apk/wolfi/trino-plugin-snowflakepkg:apk/wolfi/trino-plugin-spooling-filesystempkg:apk/wolfi/trino-plugin-sqlserverpkg:apk/wolfi/trino-plugin-teradata-functionspkg:apk/wolfi/trino-plugin-thriftpkg:apk/wolfi/trino-plugin-tpcdspkg:apk/wolfi/trino-plugin-tpchpkg:apk/wolfi/trino-plugin-verticapkg:bitnami/zookeeperpkg:maven/org.apache.zookeeper/zookeeper
< 7.6.9-r0+ 172 more
- (no CPE)range: < 7.6.9-r0
- (no CPE)range: < 8.2.0.367-r0
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 3.7.0-r2
- (no CPE)range: < 3.7.0-r2
- (no CPE)range: < 3.7.1-r0
- (no CPE)range: < 9.5.0-r2
- (no CPE)range: < 9.5.0-r2
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 0.10.4-r6
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 7.6.9-r0
- (no CPE)range: < 8.2.0.367-r0
- (no CPE)range: < 3.7.0-r2
- (no CPE)range: < 3.7.0-r2
- (no CPE)range: < 9.5.0-r2
- (no CPE)range: < 9.5.0-r2
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.1-r3
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 0.10.4-r6
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: < 443-r0
- (no CPE)range: >= 3.6.0, < 3.8.4
- (no CPE)range: >= 3.8.0, < 3.8.4
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-r978-9m6m-6gm6ghsaADVISORY
- lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79kghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-23944ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/03/14/2ghsaWEB
- github.com/apache/zookeeper/commit/29c7b9462681f47c2ac12e609341cf9f52abac5cghsaWEB
- github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01dghsaWEB
- github.com/apache/zookeeper/commit/daf7cfd04005cff1a4f7cab5ab13d41db88d0cd8ghsaWEB
News mentions
0No linked articles in our index yet.