7.5

CVE-2026-24308

Medienbericht

Apache ZooKeeper: Sensitive information disclosure in client configuration handling

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheZookeeper Version >= 3.8.0 < 3.8.6
ApacheZookeeper Version >= 3.9.0 < 3.9.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.18% 0.638
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 3.3 1.8 1.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-117 Improper Output Neutralization for Logs

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.03.2026 22:19
https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/03/07/5
Third Party Advisory
Mailing List
https://access.redhat.com/errata/RHSA-2026:10184
https://access.redhat.com/errata/RHSA-2026:8509
https://access.redhat.com/errata/RHSA-2026:14272
https://access.redhat.com/errata/RHSA-2026:14276
https://access.redhat.com/security/cve/CVE-2026-24308
https://bugzilla.redhat.com/show_bug.cgi?id=2445451
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24308.json
https://access.redhat.com/errata/RHSA-2026:34608