Apache Zookeeper vulnerabilities

CVE-2026-24308 [HIGH] CWE-532 CVE-2026-24308: Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all pla Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended

CVE-2026-24281 [HIGH] CWE-295 CVE-2026-24281: Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustMana

CVE-2025-58457 [MEDIUM] CWE-280 CVE-2025-58457: Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and resto Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue. The issue can be mitigated by disabling both commands (via admin.snaps

CVE-2024-51504 [CRITICAL] CWE-290 CVE-2024-51504: When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authenticati When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an atta

CVE-2024-23944 [MEDIUM] CWE-862 CVE-2024-23944: Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequen

CVE-2023-44981 [CRITICAL] CWE-639 CVE-2023-44981: Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum P Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if

CVE-2021-21295 [MEDIUM] CWE-444 CVE-2021-21295: Netty is an open-source, asynchronous event-driven network application framework for rapid developme Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 req

CVE-2019-0201 [MEDIUM] CWE-862 CVE-2019-0201: An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s g An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is use

CVE-2018-8012 [HIGH] CWE-862 CVE-2018-8012: No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKee No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

CVE-2017-5637 [HIGH] CWE-306 CVE-2017-5637: Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

CVE-2016-5017 [HIGH] CWE-119 CVE-2016-5017: Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when usi Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.