VYPR

Zookeeper

by Apache

Source repositories

CVEs (10)

  • CVE-2017-5637HigOct 10, 2017
    risk 0.58cvss 7.5epss 0.74

    Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue,…

  • CVE-2016-5017HigSep 21, 2016
    risk 0.53cvss 8.1epss 0.08

    Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.

  • CVE-2018-8012HigMay 21, 2018
    risk 0.49cvss 7.5epss 0.09

    No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

  • CVE-2026-24308Mar 7, 2026
    risk 0.00cvss epss 0.01

    Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering…

  • CVE-2026-24281Mar 7, 2026
    risk 0.00cvss epss 0.01

    Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to…

  • CVE-2025-58457Sep 24, 2025
    risk 0.00cvss epss 0.00

    Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.…

  • CVE-2024-51504Nov 7, 2024
    risk 0.00cvss epss 0.01

    When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection…

  • CVE-2024-23944Mar 15, 2024
    risk 0.00cvss epss 0.00

    Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't…

  • CVE-2023-44981Oct 11, 2023
    risk 0.00cvss epss 0.02

    Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in…

  • CVE-2019-0201May 23, 2019
    risk 0.00cvss epss 0.10

    An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string.…