CVE-2024-23944 – Apache ZooKeeper: Information disclosure in persistent watcher handling

https://notcve.org/view.php?id=CVE-2024-23944

15 Mar 2024 — Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed b... • http://www.openwall.com/lists/oss-security/2024/03/14/2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •