org.apache.zookeeper:zookeeper@3.6.0 vulnerabilities

latest version

3.9.2
latest non vulnerable version

3.9.2
first published

14 years ago
latest version published

2 months ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.zookeeper:zookeeper package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Information Exposure org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Affected versions of this package are vulnerable to Information Exposure due to a missing ACL check in the handling of persistent watchers. An attacker can monitor child `znodes` by attaching a persistent watcher (`addWatch` command) to a parent node to which the attacker already has access. The server does not perform an ACL check when the persistent watcher is triggered, leading to the exposure of the full path of `znodes` that a watch event is triggered upon to the owner of the watcher. Note Only the path is exposed by this vulnerability, not the data in the `znode`. Since the `znode` path may contain sensitive information such as usernames or login IDs, the impact on confidentiality is "High". How to fix Information Exposure? Upgrade `org.apache.zookeeper:zookeeper` to version 3.8.3, 3.9.1 or higher.	[3.6.0,3.8.3) [3.9.0,3.9.1)
H Authorization Bypass Through User-Controlled Key org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key when the SASL Quorum Peer authentication is enabled (`quorum.auth.enableSasl=true), an attacker can bypass the authorization check by omitting the instance part in the SASL authentication ID. This allows an arbitrary endpoint to join the cluster and propagate counterfeit changes to the leader, effectively granting it full read-write access to the data tree. Note: This is only exploitable if `quorum.auth.enableSasl=true` is set in the configuration. Quorum Peer authentication is not enabled by default. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `org.apache.zookeeper:zookeeper` to version 3.7.2, 3.8.3, 3.9.1 or higher.	[,3.7.2) [3.8.0,3.8.3) [3.9.0,3.9.1)

Information Exposure

org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services.

Affected versions of this package are vulnerable to Information Exposure due to a missing ACL check in the handling of persistent watchers. An attacker can monitor child znodes by attaching a persistent watcher (addWatch command) to a parent node to which the attacker already has access. The server does not perform an ACL check when the persistent watcher is triggered, leading to the exposure of the full path of znodes that a watch event is triggered upon to the owner of the watcher.

Note

Only the path is exposed by this vulnerability, not the data in the znode. Since the znode path may contain sensitive information such as usernames or login IDs, the impact on confidentiality is "High".

How to fix Information Exposure?

Upgrade org.apache.zookeeper:zookeeper to version 3.8.3, 3.9.1 or higher.

[3.6.0,3.8.3) [3.9.0,3.9.1)

Authorization Bypass Through User-Controlled Key

org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key when the SASL Quorum Peer authentication is enabled (`quorum.auth.enableSasl=true), an attacker can bypass the authorization check by omitting the instance part in the SASL authentication ID. This allows an arbitrary endpoint to join the cluster and propagate counterfeit changes to the leader, effectively granting it full read-write access to the data tree.

Note:

This is only exploitable if quorum.auth.enableSasl=true is set in the configuration.
Quorum Peer authentication is not enabled by default.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade org.apache.zookeeper:zookeeper to version 3.7.2, 3.8.3, 3.9.1 or higher.

[,3.7.2) [3.8.0,3.8.3) [3.9.0,3.9.1)

Go back to all versions of this package

org.apache.zookeeper:zookeeper@3.6.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities