9.1
CRITICAL
CVE-2024-51504
ZooKeeper IPAuthenticationProvider Spoofing Authentication Bypass
Description

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.

INFO

Published Date :

Nov. 7, 2024, 10:15 a.m.

Last Modified :

Nov. 8, 2024, 7:01 p.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

5.2

Exploitability Score :

3.9
Affected Products

The following products are affected by CVE-2024-51504 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-51504.

URL Resource
https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-51504 vulnerability anywhere in the article.

  • Cybersecurity News
Ghostscript Update Patches Six Critical Vulnerabilities: Code Execution, Buffer Overflow, and Path Traversal Risks

Popular document rendering engine Ghostscript has released a critical security update addressing multiple vulnerabilities, some of which could lead to remote code execution.Ghostscript, a widely used ... Read more

Published Date: Nov 12, 2024 (5 days, 11 hours ago)
CVE-2024-46956 CVE-2024-46955 CVE-2024-46954 CVE-2024-46953 CVE-2024-46952 CVE-2024-46951 CVE-2024-51504 CVE-2024-8924 CVE-2024-8923 CVE-2024-45844 ...+6 more CVE
  • Cybersecurity News
Apache ZooKeeper Security Alert: Important Flaw Impacts Admin Server (CVE-2024-51504)

Apache ZooKeeper, the widely used centralized service for managing configuration and synchronization across distributed applications, has recently issued a security advisory regarding a significant vu ... Read more

Published Date: Nov 08, 2024 (1 week, 2 days ago)
CVE-2024-51504 CVE-2024-9921 CVE-2024-9603 CVE-2024-9602 CVE-2024-38812 CVE-2024-27309 CVE-2024-23944 CVE-2023-44981

The following table lists the changes that have been made to the CVE-2024-51504 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Nov. 07, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
  • CVE Received by [email protected]

    Nov. 07, 2024

    Action Type Old Value New Value
    Added Description When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.
    Added Reference Apache Software Foundation https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh [No types assigned]
    Added CWE Apache Software Foundation CWE-290
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: