CVE-2023-44981
Severity
9.1CRITICAL
EPSS
0.0%
top 93.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedOct 11
Latest updateApr 15
Description
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like '[email protected]', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propa…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2
Affected Packages4 packages
Also affects: Debian Linux 10.0, 11.0, 12.0
🔴Vulnerability Details
5OSV▶
CVE-2023-44981: Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper↗2023-10-11
📋Vendor Advisories
5Oracle▶
Oracle Oracle Financial Services Applications Risk Matrix: Reports (Apache ZooKeeper) — CVE-2023-44981↗2024-04-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (Apache ZooKeeper) — CVE-2023-44981↗2024-01-15
Debian▶
CVE-2023-44981: zookeeper - Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeep...↗2023