-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.zookeeper:zookeeper | maven | >= 3.9.0, < 3.9.4 | 3.9.4 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in how ZooKeeper's AdminServer checks permissions for commands. The core of the issue is in the handleAuthorization method within the org.apache.zookeeper.server.admin.Commands class.
Before the patch, this method checked all required permissions at once using a bitmask. This implementation was flawed, as it could incorrectly grant access to a user who possessed only a subset of the required permissions. The vulnerability is particularly impactful for the snapshot and restore commands, which are powerful administrative operations.
The fix, introduced in commit 71e173fcbcc9deb784081cf867bd045df3c32635, changes the logic to check each permission bit individually within a loop. This ensures that a client must have every single required permission before the command can proceed.
Therefore, the function org.apache.zookeeper.server.admin.Commands.handleAuthorization is the identified vulnerable function. During an exploit attempt targeting the snapshot or restore commands, this function would be in the call stack and is where the faulty permission check would occur. The new test case testAuthCheck_noPerms added in the patch confirms this scenario: it tries to execute a command with READ permission when ADMIN is required, and with the fix, it correctly fails.
JavaJavaOngoing coverage of React2Shell