CVE-2026-24308Log File Information Exposure in Apache Zookeeper

CWE-532Log File Information ExposureCWE-117Improper Output Neutralization for Logs9 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 93.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache ZookeeperApache Software Foundation Apache Zookeeper
Timeline
PublishedMar 7

Description

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/zookeeper3.8.03.8.6+1
Debianapache/zookeeper< 3.9.5-1
CVEListV5apache_software_foundation/apache_zookeeper3.9.03.9.4+1

🔴Vulnerability Details

4
OSV
CVE-2026-24308: Improper handling of configuration values in ZKConfig in Apache ZooKeeper 32026-03-07
GHSA
Apache ZooKeeper has improper handling of configuration values2026-03-07
OSV
Apache ZooKeeper has improper handling of configuration values2026-03-07
CVEList
Apache ZooKeeper: Sensitive information disclosure in client configuration handling2026-03-07

📋Vendor Advisories

2
Red Hat
Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values2026-03-07
Debian
CVE-2026-24308: zookeeper - Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-24308 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-24308 Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values2026-03-07
CVE-2026-24308 — Log File Information Exposure | cvebase