SCA: security update for org.apache.zookeeper:zookeeper (GHSA-7286-pgfv-vxvh)

critical Tenable Self-Hosted Container Security Plugin ID 411733

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer
authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by
verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance
part in SASL auth ID is optional and if it's missing, like '[email protected]', the authorization check will
be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit
changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer
authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2,
which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a
firewall as this will mitigate the issue. See the documentation for more details on correct cluster
administration. (CVE-2023-44981)

See Also

https://github.com/advisories/GHSA-7286-pgfv-vxvh

Plugin Details

Severity: Critical

ID: 411733

Version: Revision 1.14

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

Percentile: 96.81

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2023-44981

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/11/2023

Vulnerability Publication Date: 10/11/2023

Reference Information

CVE: CVE-2023-44981

cwe: CWE-639