CVE-2024-51504

Name of the Vulnerable Software and Affected Versions Apache ZooKeeper versions 3.9.0 through 3.9.2

Description The issue is related to the IPAuthenticationProvider in the ZooKeeper Admin Server, which allows for authentication bypass via spoofing. This impacts IP-based authentication and is due to the default configuration using HTTP request headers to detect the client's IP address, specifically honoring the X-Forwarded-For HTTP header. This can be easily spoofed by an attacker, allowing them to bypass authentication. Successful exploitation could lead to information leakage or service availability issues, as Admin Server commands like snapshot and restore can be executed arbitrarily.

Recommendations For Apache ZooKeeper versions 3.9.0 through 3.9.2, upgrade to version 3.9.3 to fix the issue. As a temporary workaround, consider restricting access to the IPAuthenticationProvider or disabling the use of X-Forwarded-For HTTP headers to minimize the risk of exploitation. Avoid using the X-Forwarded-For request header in the affected API endpoints until the issue is resolved.