Bitnami package
zookeeper
pkg:bitnami/zookeeper
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24308 | — | >= 3.8.0, < 3.8.6 | 3.8.6 | Mar 7, 2026 | Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering p | ||
| CVE-2026-24281 | — | >= 3.8.0, < 3.8.6 | 3.8.6 | Mar 7, 2026 | Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note | ||
| CVE-2025-58457 | — | >= 3.9.0, < 3.9.4 | 3.9.4 | Sep 24, 2025 | Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue. | ||
| CVE-2024-51504 | — | >= 3.9.0, < 3.9.3 | 3.9.3 | Nov 7, 2024 | When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthentication | ||
| CVE-2024-23944 | — | >= 3.6.0, < 3.8.4 | 3.8.4 | Mar 15, 2024 | Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't d | ||
| CVE-2023-44981 | — | < 3.7.2 | 3.7.2 | Oct 11, 2023 | Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.c | ||
| CVE-2021-21295 | — | >= 3.5.9, < 3.5.10 | 3.5.10 | Mar 9, 2021 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smug |
- CVE-2026-24308Mar 7, 2026affected >= 3.8.0, < 3.8.6fixed 3.8.6
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering p
- CVE-2026-24281Mar 7, 2026affected >= 3.8.0, < 3.8.6fixed 3.8.6
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note
- CVE-2025-58457Sep 24, 2025affected >= 3.9.0, < 3.9.4fixed 3.9.4
Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.
- CVE-2024-51504Nov 7, 2024affected >= 3.9.0, < 3.9.3fixed 3.9.3
When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthentication
- CVE-2024-23944Mar 15, 2024affected >= 3.6.0, < 3.8.4fixed 3.8.4
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't d
- CVE-2023-44981Oct 11, 2023affected < 3.7.2fixed 3.7.2
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.c
- CVE-2021-21295Mar 9, 2021affected >= 3.5.9, < 3.5.10fixed 3.5.10
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smug