CVE-2024-23944: 
Java vulnerability analysis and mitigation

Information disclosure vulnerability (CVE-2024-23944) was discovered in Apache ZooKeeper's persistent watchers handling mechanism due to a missing ACL check. The vulnerability affects Apache ZooKeeper versions 3.9.0 through 3.9.1, 3.8.0 through 3.8.3, and 3.6.0 through 3.7.2. The issue was disclosed on March 14, 2024, and has been rated as critical (OpenWall).

The vulnerability stems from a missing Access Control List (ACL) check in the ZooKeeper server when persistent watchers are triggered. It specifically involves the addWatch command functionality, where the server fails to perform proper ACL verification during watcher event triggers. The issue has been assigned CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD). The CVSS 3.1 base score is 5.3 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

While the vulnerability only exposes the full path of znodes and not their actual data, this can still lead to the disclosure of sensitive information such as usernames or login IDs that might be contained within the znode paths. An attacker who has access to a parent znode can monitor child znodes by attaching a persistent watcher, potentially gaining unauthorized access to sensitive path information (OpenWall).

Users are strongly recommended to upgrade to Apache ZooKeeper version 3.9.2 or 3.8.4, which contain the fix for this vulnerability (OpenWall).