Hi Li, That's the right ticket.
I've just updated the Jira ticket with the links to the commits. There's no PR since it was a security fix, but looks like we forgot to add it to the master branch. Damien, would you please take care of that? Btw, we don't plan to fix it in the 3.7 release line, but the patch is already on the branch for your convenience: 29c7b9462681f47c2ac12e609341cf9f52abac5c Regards, Andor On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote: > Thanks, Andor. > > Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a > JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status > is > still OPEN and there is no PR link there. > > https://issues.apache.org/jira/browse/ZOOKEEPER-4799 > > We are in 3.7.2 and may need to patch it ourselves. > > Best, > > Li > > > > On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org> > wrote: > > > Severity: critical > > > > Affected versions: > > > > - Apache ZooKeeper 3.9.0 through 3.9.1 > > - Apache ZooKeeper 3.8.0 through 3.8.3 > > - Apache ZooKeeper 3.6.0 through 3.7.2 > > > > Description: > > > > Information disclosure in persistent watchers handling in Apache > > ZooKeeper > > due to missing ACL check. It allows an attacker to monitor child > > znodes by > > attaching a persistent watcher (addWatch command) to a parent which > > the > > attacker has already access to. ZooKeeper server doesn't do ACL > > check when > > the persistent watcher is triggered and as a consequence, the full > > path of > > znodes that a watch event gets triggered upon is exposed to the > > owner of > > the watcher. It's important to note that only the path is exposed > > by this > > vulnerability, not the data of znode, but since znode path can > > contain > > sensitive information like user name or login ID, this issue is > > potentially > > critical. > > > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which > > fixes the > > issue. > > > > Credit: > > > > 周吉安(寒泉) <zhoujian....@alibaba-inc.com> (reporter) > > > > References: > > > > https://zookeeper.apache.org/ > > https://www.cve.org/CVERecord?id=CVE-2024-23944 > > > >
