7.5
CVE-2026-24308
- EPSS 1.18%
- Veröffentlicht 07.03.2026 08:51:17
- Zuletzt bearbeitet 03.07.2026 13:17:01
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache ZooKeeper: Sensitive information disclosure in client configuration handling
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.18% | 0.638 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 3.3 | 1.8 | 1.4 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-117 Improper Output Neutralization for Logs
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
CWE-532 Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr
http://www.openwall.com/lists/oss-security/2026/03/07/5
https://access.redhat.com/errata/RHSA-2026:10184
https://access.redhat.com/errata/RHSA-2026:8509
https://access.redhat.com/errata/RHSA-2026:14272
https://access.redhat.com/errata/RHSA-2026:14276
https://access.redhat.com/security/cve/CVE-2026-24308
https://bugzilla.redhat.com/show_bug.cgi?id=2445451
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24308.json
https://access.redhat.com/errata/RHSA-2026:34608