Startseite Erkunden Hilfe
Anmelden
apache
/
zookeeper
Mirror von https://gitee.com/apache/zookeeper.git
2
0
Fork 0
Dateien Issues 0 Wiki
Quellcode durchsuchen

Updated website content for CVE-2024-51504

Andor Molnar vor 1 Jahr
Ursprung
6b70d29d68
Commit
0cd6648d08
1 geänderte Dateien mit 39 neuen und 0 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 39 0
      src/main/resources/markdown/security.md

+ 39 - 0
src/main/resources/markdown/security.md
Datei anzeigen 

@@ -30,6 +30,7 @@ their <a href="https://www.apache.org/security/">Web page</a> for more informati
 
 
 ## Vulnerability reports
 
 
+* [CVE-2024-51504: Authentication bypass with IP-based authentication in Admin Server](#CVE-2024-51504)
 
 * [CVE-2024-23944: Information disclosure in persistent watcher handling](#CVE-2024-23944)
 
 * [CVE-2023-44981: Authorization bypass in SASL Quorum Peer Authentication](#CVE-2023-44981)
 
 * [CVE-2019-0201: Information disclosure vulnerability in Apache ZooKeeper](#CVE-2019-0201)
 
@@ -38,6 +39,44 @@ their <a href="https://www.apache.org/security/">Web page</a> for more informati
 
 * [CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell](#CVE-2016-5017)
 
 
 
+<a name="CVE-2024-51504"></a>
 
+### CVE-2024-51504: Authentication bypass with IP-based authentication in Admin Server
 
+
 
+Severity: important
 
+
 
+Affected versions:
 
+
 
+- Apache ZooKeeper 3.9.0 before 3.9.3
 
+
 
+Description:
 
+
 
+When using IPAuthenticationProvider in ZooKeeper Admin Server there is
 
+a possibility of Authentication Bypass by Spoofing -- this only impacts
 
+IP based authentication implemented in ZooKeeper Admin Server. Default
 
+configuration of client's IP address detection
 
+in IPAuthenticationProvider, which uses HTTP request headers, is
 
+weak and allows an attacker to bypass authentication via spoofing
 
+client's IP address in request headers. Default configuration honors X-
 
+Forwarded-For HTTP header to read client's IP address. X-Forwarded-For
 
+request header is mainly used by proxy servers to identify the client
 
+and can be easily spoofed by an attacker pretending that the request
 
+comes from a different IP address. Admin Server commands, such as
 
+snapshot and restore arbitrarily can be executed on successful
 
+exploitation which could potentially lead to information leakage or
 
+service availability issues. Users are recommended to upgrade to
 
+version 3.9.3, which fixes this issue.
 
+
 
+Credit:
 
+
 
+4ra1n (reporter)
 
+Y4tacker (reporter)
 
+
 
+References:
 
+
 
+[https://zookeeper.apache.org/](https://zookeeper.apache.org/)
 
+[https://www.cve.org/CVERecord?id=CVE-2024-51504](https://www.cve.org/CVERecord?id=CVE-2024-51504)
 
+
 
+
 
 <a name="CVE-2024-23944"></a>
 
 ### CVE-2024-23944: Information disclosure in persistent watcher handling