UBUNTU-CVE-2024-51504

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2024-51504
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-51504.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-51504
Related
Published
2024-11-07T10:15:00Z
Modified
2024-12-18T16:42:30Z
Summary
[none]
Details

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.

References

Affected packages

Ubuntu:Pro:14.04:LTS / zookeeper

Package

Name
zookeeper
Purl
pkg:deb/ubuntu/zookeeper?arch=src?distro=esm-infra-legacy/trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.4.5+dfsg-1
3.4.5+dfsg-1ubuntu0.1~esm1
3.4.5+dfsg-1ubuntu0.1~esm3

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:16.04:LTS / zookeeper

Package

Name
zookeeper
Purl
pkg:deb/ubuntu/zookeeper?arch=src?distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.4.6-8
3.4.7-1
3.4.8-1
3.4.8-1ubuntu0.1~esm1
3.4.8-1ubuntu0.1~esm2

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / zookeeper

Package

Name
zookeeper
Purl
pkg:deb/ubuntu/zookeeper?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.4.10-2
3.4.10-3
3.4.13-3
3.4.13-3ubuntu0.1~esm1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / zookeeper

Package

Name
zookeeper
Purl
pkg:deb/ubuntu/zookeeper?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.4.13-1
3.4.13-3
3.4.13-3build1
3.4.13-4
3.4.13-5
3.4.13-5build1
3.4.13-5ubuntu0.1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / zookeeper

Package

Name
zookeeper
Purl
pkg:deb/ubuntu/zookeeper?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.4.13-5ubuntu4
3.4.13-6ubuntu2
3.4.13-6ubuntu3
3.4.13-6ubuntu4
3.4.13-6ubuntu4.1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / zookeeper

Package

Name
zookeeper
Purl
pkg:deb/ubuntu/zookeeper?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.9.1-1build2
3.9.2-2

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / zookeeper

Package

Name
zookeeper
Purl
pkg:deb/ubuntu/zookeeper?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.0-11
3.9.1-1
3.9.1-1build1
3.9.1-1build2

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}