Skip to main content

Authorization Bypass Through User-Controlled Key


Severity High
Score 9.1/10


Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper "(quorum.auth.enableSasl=true)", the authorization is done by verifying that the instance part in SASL authentication ID is listed in "zoo.cfg" server list. The instance part in SASL auth ID is optional and if it's missing, like "[email protected]", the authorization check will be skipped. As a result, an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Alternately ensure the ensemble "election/quorum" communication is protected by a firewall as this will mitigate the issue. This issue affects versions prior to 3.7.2, 3.8.x prior to 3.8.3 and 3.9.0.

  • LOW
  • HIGH
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-639 - Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Advisory Timeline

  • Published