3.9.3
14 years ago
2 months ago
Known vulnerabilities in the org.apache.zookeeper:zookeeper package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key when the SASL Quorum Peer authentication is enabled (`quorum.auth.enableSasl=true), an attacker can bypass the authorization check by omitting the instance part in the SASL authentication ID. This allows an arbitrary endpoint to join the cluster and propagate counterfeit changes to the leader, effectively granting it full read-write access to the data tree. Note:
How to fix Authorization Bypass Through User-Controlled Key? Upgrade | [,3.7.2)[3.8.0,3.8.3)[3.9.0,3.9.1) |
org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Affected versions of this package are vulnerable to Access Control Bypass. ZooKeeper’s How to fix Access Control Bypass? Upgrade | [,3.4.14)[3.5.0-alpha,3.5.5) |
org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Affected versions of this package are vulnerable to Authentication Bypass. No authentication/authorization is enforced when a server attempts to join a quorum, as a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. How to fix Authentication Bypass? Upgrade | [,3.4.10)[3.5.0-alpha,3.5.4-beta) |
org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Affected versions of this package are vulnerable to Denial of Service (DoS).
Four letter zookeeper commands (such as How to fix Denial of Service (DoS)? Upgrade | [3.4.6,3.4.10)[3.5.0-alpha,3.5.3-beta) |
org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Affected versions of this package are vulnerable to Insufficiently Protected Credentials. The logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log. How to fix Insufficiently Protected Credentials? Upgrade | [3.3.0,3.4.7)[3.5.0-alpha,3.5.1-alpha) |