漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication
Vulnerability Description
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.
CVSS Information
N/A
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Apache ZooKeeper 安全漏洞
Vulnerability Description
Apache Zookeeper是美国阿帕奇(Apache)基金会的一个软件项目,它能够为大型分布式计算提供开源的分布式配置服务、同步服务和命名注册等功能。 Apache ZooKeeper 3.9.1之前、3.8.3之前、3.7.2之前版本存在安全漏洞,该漏洞源于如果在 ZooKeeper 中启用了 SASL Quorum Peer 身份验证 (quorum.auth.enableSasl=true),则通过验证 SASL 身份验证 ID 中的实例部分会在 Zoo 中列出来,SASL 身份验证 ID 中
CVSS Information
N/A
Vulnerability Type
N/A