CVE-2024-23944 (Medium) detected in zookeeper-3.7.2.jar, zookeeper-3.8.3.jar #4290
Assignees
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Milestone
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
dlvenable
added a commit
to dlvenable/data-prepper
that referenced
this issue
Mar 21, 2024
…3944, CVE-2023-52428. Move some constraints such that they are only in the projects needing them. Resolves opensearch-project#4282, opensearch-project#4290, opensearch-project#4296. Signed-off-by: David Venable <dlv@amazon.com>
4 tasks
dlvenable
added a commit
that referenced
this issue
Mar 21, 2024
Updates transitive dependencies to resolve CVE-2023-51775, CVE-2024-23944, CVE-2023-52428. Move some constraints such that they are only in the projects needing them. Resolves #4282, #4290, #4296. Signed-off-by: David Venable <dlv@amazon.com>
|
Closed by #4308. |
github-project-automation
bot
moved this from Unplanned
to Done
in Data Prepper Tracking Board
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2024-23944 - Medium Severity Vulnerability
zookeeper-3.7.2.jar
ZooKeeper server
Library home page: http://zookeeper.apache.org
Path to dependency file: /release/archives/linux/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.7.2/3b7c2c26b697094fc29e5a78a522cffa1a55b26d/zookeeper-3.7.2.jar
Dependency Hierarchy:
zookeeper-3.8.3.jar
ZooKeeper server
Library home page: http://zookeeper.apache.org
Path to dependency file: /data-prepper-plugins/kafka-plugins/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.8.3/97bb82af5b529ec14e9c2d44b96884544f0db743/zookeeper-3.8.3.jar
Dependency Hierarchy:
Found in HEAD commit: 774fa213614252c4772b018731452f020cafa16a
Found in base branch: main
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.
Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
Publish Date: 2024-03-15
URL: CVE-2024-23944
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q1/229
Release Date: 2024-03-15
Fix Resolution: 3.8.4
The text was updated successfully, but these errors were encountered: