Apache ZooKeeper 3.9.2/3.8.4 Pers Watch Path Disclosure
CVE-2024-23944 Published on March 15, 2024

Apache ZooKeeper: Information disclosure in persistent watcher handling
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-23944 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2024-23944 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2024-23944

stack.watch emails you whenever new vulnerabilities are published in Oracle or Apache Zookeeper. Just hit a watch button to start following.

Oracle
 
Apache Zookeeper
 

Affected Versions

Apache Software Foundation Apache ZooKeeper:

Exploit Probability

EPSS
0.03%
Percentile
7.49%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.