{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-24308","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2026-01-21T21:37:46.975Z","datePublished":"2026-03-07T08:51:17.567Z","dateUpdated":"2026-07-03T12:04:50.781Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://repo.maven.apache.org/maven2","defaultStatus":"unaffected","packageName":"org.apache.zookeeper:zookeeper","product":"Apache ZooKeeper","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"3.9.4","status":"affected","version":"3.9.0","versionType":"maven"},{"lessThanOrEqual":"3.8.5","status":"affected","version":"3.8.0","versionType":"maven"}]}],"credits":[{"lang":"en","type":"reporter","value":"Youlong Chen <chenyoulong20g@ict.ac.cn>"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<code>Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue.&nbsp;</code>Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue."}],"value":"Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue."}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-532","description":"CWE-532 Insertion of Sensitive Information into Log File","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2026-03-07T08:51:17.567Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr"}],"source":{"discovery":"UNKNOWN"},"title":"Apache ZooKeeper: Sensitive information disclosure in client configuration handling","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/07/5"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-03-07T17:05:11.646Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":6.5,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-03-10T17:34:03.326224Z","id":"CVE-2026-24308","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-10T17:36:03.931Z"}},{"affected":[{"cpes":["cpe:/a:redhat:amq_broker:7.12"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7.12.7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_broker:7.13"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7.13.5","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_broker:7.14"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7.14.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai:2.25::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 2.25","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:2.9::el9"],"defaultStatus":"affected","product":"Streams for Apache Kafka 2.9.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:2"],"defaultStatus":"affected","product":"Red Hat build of Debezium 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:3"],"defaultStatus":"affected","product":"Red Hat build of Debezium 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:7"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:offline_knowledge_portal:1"],"defaultStatus":"affected","product":"Red Hat Offline Knowledge Portal","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:3"],"defaultStatus":"affected","product":"streams for Apache Kafka 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_spring_boot:4"],"defaultStatus":"unaffected","product":"Red Hat build of Apache Camel for Spring Boot 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_data_grid:8"],"defaultStatus":"unaffected","product":"Red Hat Data Grid 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"}],"datePublic":"2026-03-07T08:51:17.567Z","descriptions":[{"lang":"en","value":"A flaw was found in Apache ZooKeeper. Improper handling of configuration values in ZKConfig allows an attacker to expose sensitive information. This occurs when sensitive client configuration values are logged at an INFO level in the client's logfile. This vulnerability can lead to information disclosure, potentially revealing critical system details to unauthorized parties."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-117","description":"Improper Output Neutralization for Logs","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-24308"},{"name":"RHBZ#2445451","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445451"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24308.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:14276"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:14272"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:8509"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:34608"}],"solutions":[{"lang":"en","value":"RHSA-2026:14276: Red Hat AMQ Broker 7.12.7"},{"lang":"en","value":"RHSA-2026:14272: Red Hat AMQ Broker 7.13.5"},{"lang":"en","value":"RHSA-2026:8509: Red Hat AMQ Broker 7.14.0"},{"lang":"en","value":"RHSA-2026:10184: Red Hat OpenShift AI 2.25"},{"lang":"en","value":"RHSA-2026:34608: Streams for Apache Kafka 2.9.4"}],"timeline":[{"lang":"en","time":"2026-03-07T09:01:03.859Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-07T08:51:17.567Z","value":"Made public."}],"title":"Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-03T12:04:50.781Z"}}]}}