[<prev] [day] [month] [year] [list]
Message-ID: <4998453e-dcc1-c7e8-1350-66fa2678e6f8@apache.org>
Date: Sat, 07 Mar 2026 00:06:10 +0000
From: Andor Molnar <andor@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-24308: Apache ZooKeeper: Sensitive information disclosure
in client configuration handling
Severity: important
Affected versions:
- Apache ZooKeeper (org.apache.zookeeper:zookeeper) 3.9.0 through 3.9.4
- Apache ZooKeeper (org.apache.zookeeper:zookeeper) 3.8.0 through 3.8.5
Description:
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
Credit:
Youlong Chen <chenyoulong20g@....ac.cn> (reporter)
References:
https://zookeeper.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-24308
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
