apache/zookeeper: The latest CVE Vulnerabilities and Exploits for Penetration Test

Last Updated: 2023-05-04

Page content

apache/zookeeper Vulnerability Summary

Vendor name: apache
Product name: zookeeper
Total vulnerabilities: 9 (as 2023-05-04)

apache/zookeeper Vulnerability List

CVE-2021-34429: For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted…

Published: 2021-07-15T17:15:00 Last Modified: 2022-02-07T16:16:00

Summary

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

Common Weakness Enumeration (CWE): CWE-863: Incorrect Authorization

CWE Description: The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2021-34429 vulnerability.

Eclipse Jetty 11.0.5 - Sensitive File Disclosure by Mayank Deshmukh at 2021-11-03

References

CVE-2021-28169: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the…

Published: 2021-06-09T02:15:00 Last Modified: 2022-02-07T16:15:00

Summary

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE Description: Separate mistakes or weaknesses could inadvertently make the sensitive information available to an attacker, such as in a detailed error message that can be read by an unauthorized party

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-28169 vulnerability.

References

CVE-2021-29425: In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an…

Published: 2021-04-13T07:15:00 Last Modified: 2022-02-10T10:15:00

Summary

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like “//../foo”, or “\..\foo”, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus “limited” path traversal), if the calling code would use the result to construct a path value.

Common Weakness Enumeration (CWE): CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CWE Description: The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Scores

Impact Score: 4.9
Exploitability Score: 8.6
CVSS: 5.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-29425 vulnerability.

References

CVE-2021-28164: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows…

Published: 2021-04-01T15:15:00 Last Modified: 2022-02-07T16:15:00

Summary

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Common Weakness Enumeration (CWE): CWE-863: Incorrect Authorization

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2021-28164 vulnerability.

Jetty 9.4.37.v20210219 - Information Disclosure by Mayank Deshmukh at 2021-10-22

References

CVE-2021-21295: Netty is an open-source, asynchronous event-driven network application framework for rapid…

Published: 2021-03-09T19:15:00 Last Modified: 2021-12-10T02:09:00

Summary

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodec and then sent up to the child channel’s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

Common Weakness Enumeration (CWE): CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)

CWE Description: When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it.

Scores

Impact Score: 2.9
Exploitability Score: 4.9
CVSS: 2.6
CVSS Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: HIGH
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-21295 vulnerability.

References

CVE-2019-0201: An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta….

Published: 2019-05-23T14:29:00 Last Modified: 2021-08-16T13:15:00

Summary

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Common Weakness Enumeration (CWE): CWE-862: Missing Authorization

CWE Description: The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2019-0201 vulnerability.

References

CVE-2018-8012: No authentication/authorization is enforced when a server attempts to join a quorum in Apache…

Published: 2018-05-21T19:29:00 Last Modified: 2021-09-14T12:13:00

Summary

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Common Weakness Enumeration (CWE): CWE-862: Missing Authorization

CWE Description: The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-8012 vulnerability.

References

CVE-2017-5637: Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU…

Published: 2017-10-10T01:30:00 Last Modified: 2021-07-20T23:15:00

Summary

Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Common Weakness Enumeration (CWE): CWE-306: Missing Authentication for Critical Function

CWE Description: The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2017-5637 vulnerability.

Zookeeper 3.5.2 Client - Denial of Service by Brandon Dennis at 2017-07-02

References

CVE-2016-5017: Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when…

Published: 2016-09-21T14:25:00 Last Modified: 2021-11-17T22:15:00

Summary

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the “cmd:” batch mode syntax, allows attackers to have unspecified impact via a long command string.

Common Weakness Enumeration (CWE): CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE Description: The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Scores

Impact Score: 6.4
Exploitability Score: 8.6
CVSS: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-5017 vulnerability.

References