CVE-2024-51504

CWE-2908 documents7 sources

Severity

9.1CRITICAL

EPSS

0.1%

top 76.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Zookeeper Apache Zookeeper

Timeline

PublishedNov 7

Latest updateOct 15

Description

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read cli…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

▶NVDapache/zookeeper3.9.0 — 3.9.3

▶Mavenorg.apache.zookeeper:zookeeper3.9.0 — 3.9.3

▶CVEListV5apache_software_foundation/apache_zookeeper3.9.0 — 3.9.3

▶Debianzookeeper< 3.9.3-1+1

🔴Vulnerability Details

OSV

CVE-2024-51504: When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP base↗2024-11-07

▶

OSV

Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server↗2024-11-07

▶

CVEList

Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server↗2024-11-07

▶

GHSA

Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server↗2024-11-07

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Apache ZooKeeper) — CVE-2024-51504↗2025-10-15

▶

Red Hat

org.apache.zookeeper: Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server↗2024-11-07

▶

Debian

CVE-2024-51504: zookeeper - When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibi...↗2024

▶