(zookeeper) branch asf-site updated: Website update for CVE-2024-51504

Wed, 06 Nov 2024 09:20:54 -0800 

This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 34491076c Website update for CVE-2024-51504
34491076c is described below

commit 34491076c51a566a4ae5f9e9938d55b40c160bb2
Author: Andor Molnar <an...@cloudera.com>
AuthorDate: Wed Nov 6 11:20:33 2024 -0600

    Website update for CVE-2024-51504
---
 content/security.html | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/content/security.html b/content/security.html
index dbb70751f..df65d5adb 100644
--- a/content/security.html
+++ b/content/security.html
@@ -95,6 +95,7 @@ target="_top">secur...@zookeeper.apache.org</a>. In the 
message, try to provide
 <p>The ASF Security team maintains a page with a description of how 
vulnerabilities are handled, check their <a 
href="https://www.apache.org/security/";>Web page</a> for more information.</p>
 <h2>Vulnerability reports</h2>
 <ul>
+<li><a href="#CVE-2024-51504">CVE-2024-51504: Authentication bypass with 
IP-based authentication in Admin Server</a></li>
 <li><a href="#CVE-2024-23944">CVE-2024-23944: Information disclosure in 
persistent watcher handling</a></li>
 <li><a href="#CVE-2023-44981">CVE-2023-44981: Authorization bypass in SASL 
Quorum Peer Authentication</a></li>
 <li><a href="#CVE-2019-0201">CVE-2019-0201: Information disclosure 
vulnerability in Apache ZooKeeper</a></li>
@@ -102,6 +103,19 @@ target="_top">secur...@zookeeper.apache.org</a>. In the 
message, try to provide
 <li><a href="#CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four 
letter words (4lw)</a></li>
 <li><a href="#CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in 
ZooKeeper C cli shell</a></li>
 </ul>
+<p><a name="CVE-2024-51504"></a></p>
+<h3>CVE-2024-51504: Authentication bypass with IP-based authentication in 
Admin Server</h3>
+<p>Severity: important</p>
+<p>Affected versions:</p>
+<ul>
+<li>Apache ZooKeeper 3.9.0 before 3.9.3</li>
+</ul>
+<p>Description:</p>
+<p>When using IPAuthenticationProvider in ZooKeeper Admin Server there is a 
possibility of Authentication Bypass by Spoofing -- this only impacts IP based 
authentication implemented in ZooKeeper Admin Server. Default configuration of 
client's IP address detection in IPAuthenticationProvider, which uses HTTP 
request headers, is weak and allows an attacker to bypass authentication via 
spoofing client's IP address in request headers. Default configuration honors 
X- Forwarded-For HTTP header [...]
+<p>Credit:</p>
+<p>4ra1n (reporter) Y4tacker (reporter)</p>
+<p>References:</p>
+<p><a href="https://zookeeper.apache.org/";>https://zookeeper.apache.org/</a> 
<a 
href="https://www.cve.org/CVERecord?id=CVE-2024-51504";>https://www.cve.org/CVERecord?id=CVE-2024-51504</a></p>
 <p><a name="CVE-2024-23944"></a></p>
 <h3>CVE-2024-23944: Information disclosure in persistent watcher handling</h3>
 <p>Severity: critical</p>

Reply via email to