org.apache.zookeeper:zookeeper@3.7.2 vulnerabilities

latest version

3.9.2
latest non vulnerable version

3.9.2
first published

14 years ago
latest version published

3 months ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.zookeeper:zookeeper package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Information Exposure org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Affected versions of this package are vulnerable to Information Exposure due to a missing ACL check in the handling of persistent watchers. An attacker can monitor child `znodes` by attaching a persistent watcher (`addWatch` command) to a parent node to which the attacker already has access. The server does not perform an ACL check when the persistent watcher is triggered, leading to the exposure of the full path of `znodes` that a watch event is triggered upon to the owner of the watcher. Note Only the path is exposed by this vulnerability, not the data in the `znode`. Since the `znode` path may contain sensitive information such as usernames or login IDs, the impact on confidentiality is "High". How to fix Information Exposure? Upgrade `org.apache.zookeeper:zookeeper` to version 3.8.3, 3.9.1 or higher.	[3.6.0,3.8.3) [3.9.0,3.9.1)

Information Exposure

org.apache.zookeeper:zookeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services.

Affected versions of this package are vulnerable to Information Exposure due to a missing ACL check in the handling of persistent watchers. An attacker can monitor child znodes by attaching a persistent watcher (addWatch command) to a parent node to which the attacker already has access. The server does not perform an ACL check when the persistent watcher is triggered, leading to the exposure of the full path of znodes that a watch event is triggered upon to the owner of the watcher.

Note

Only the path is exposed by this vulnerability, not the data in the znode. Since the znode path may contain sensitive information such as usernames or login IDs, the impact on confidentiality is "High".

How to fix Information Exposure?

Upgrade org.apache.zookeeper:zookeeper to version 3.8.3, 3.9.1 or higher.

[3.6.0,3.8.3) [3.9.0,3.9.1)

Go back to all versions of this package

org.apache.zookeeper:zookeeper@3.7.2 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities