Описание
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
A flaw was found in Apache ZooKeeper. Improper handling of configuration values in ZKConfig allows an attacker to expose sensitive information. This occurs when sensitive client configuration values are logged at an INFO level in the client's logfile. This vulnerability can lead to information disclosure, potentially revealing critical system details to unauthorized parties.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AMQ Broker 7 | zookeeper | Affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | zookeeper | Not affected | ||
| Red Hat build of Debezium 2 | zookeeper | Will not fix | ||
| Red Hat build of Debezium 3 | zookeeper | Will not fix | ||
| Red Hat Data Grid 8 | zookeeper | Fix deferred | ||
| Red Hat Fuse 7 | zookeeper | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform 7 | zookeeper | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform 8 | zookeeper | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | zookeeper | Affected | ||
| Red Hat Offline Knowledge Portal | offline-knowledge-portal/rhokp-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
3.3 Low
CVSS3
Связанные уязвимости
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
Improper handling of configuration values in ZKConfig in Apache ZooKee ...
EPSS
3.3 Low
CVSS3