CVE-2024-23944 in ZooKeeper
Summary
by MITRE • 03/15/2024
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/03/2025
Apache ZooKeeper vulnerability CVE-2024-23944 represents a critical information disclosure flaw in the persistent watcher mechanism that directly violates fundamental access control principles. This vulnerability exists in the way ZooKeeper handles persistent watchers, where the system fails to perform proper access control list (ACL) checks when watcher events are triggered. The flaw allows attackers to exploit their existing access to parent znodes to monitor child znodes through persistent watcher attachments, creating an unauthorized surveillance capability that bypasses normal access controls. The vulnerability specifically affects versions prior to 3.9.2 and 3.8.4, making it a significant concern for organizations running older ZooKeeper deployments.
The technical implementation of this vulnerability stems from the missing ACL validation during persistent watcher execution. When an attacker attaches a persistent watcher to a parent znode they can access, the system correctly permits this operation. However, when the watcher is triggered by changes to child znodes, the ZooKeeper server fails to verify whether the watcher owner has proper access rights to the specific child znode that triggered the event. This oversight creates a path exposure scenario where the full znode path information becomes available to unauthorized parties, even though the actual znode data remains protected. The vulnerability operates at the core of ZooKeeper's watch mechanism, specifically targeting the server-side event handling logic that should enforce access control boundaries.
The operational impact of CVE-2024-23944 extends beyond simple information leakage, as znode paths often contain sensitive identifiers such as usernames, login IDs, or other personally identifiable information that can be leveraged for further attacks. This exposure creates a reconnaissance opportunity for attackers to map the logical structure of the ZooKeeper ensemble and identify potential targets for privilege escalation or credential harvesting. The vulnerability aligns with CWE-200 (Information Exposure) and represents a direct violation of the principle of least privilege, as described in the ATT&CK framework under T1082 (System Information Discovery) and T1566 (Phishing). Organizations utilizing ZooKeeper for configuration management, service discovery, or distributed coordination may experience significant security implications, particularly in environments where sensitive data is stored in znode paths.
Security mitigations for this vulnerability primarily involve upgrading to the patched versions 3.9.2 or 3.8.4, which implement proper ACL validation during persistent watcher execution. Organizations should also conduct thorough security assessments to identify existing persistent watchers that may have been established prior to the vulnerability being addressed, as these watchers may continue to expose information even after the upgrade. Network segmentation and access control measures should be reviewed to limit the attack surface, while monitoring systems should be enhanced to detect unusual watcher attachment patterns. The fix addresses the root cause by ensuring that every time a persistent watcher event is triggered, the system validates that the watcher owner has appropriate access rights to the znode path being exposed, thereby maintaining the integrity of ZooKeeper's access control model and preventing unauthorized information disclosure.