11 matches found
CVE-2024-23944
CVE-2024-23944 is a ZooKeeper information-disclosure vulnerability involving persistent watchers. The issue arises when a watcher attached to a parent znode to which the attacker already has access is triggered; the server does not perform an ACL check at watch-trigger time, exposing the full pat...
CVE-2023-44981
CVE-2023-44981 (Apache ZooKeeper) : Authorization bypass through a user-controlled SASL ID when quorum peer authentication is enabled (quorum.auth.enableSasl=true). If the instance part of the SASL ID is missing (e.g., [email protected]), authorization checks are skipped, allowing an arbitrary endp...
CVE-2021-21295
Netty CVE-2021-21295 affects io.netty:netty-codec-http2 prior to 4.1.60.Final, where Content-Length validation can be bypassed when HTTP/2 is downgraded to HTTP/1.1 in proxied scenarios, enabling HTTP request smuggling. The issue occurs when HTTP2MultiplexCodec/Http2FrameCodec are used and Http2S...
CVE-2019-0201
CVE-2019-0201 affects Apache ZooKeeper up to versions 3.4.13 and 3.5.4-beta, where getACL() does not enforce permissions and returns the ACL Id in plaintext. When Digest Authentication is in use, the unsalted hash value contained in the Id field can be disclosed to unauthenticated or unprivileged...
CVE-2024-51504
CVE-2024-51504 affects ZooKeeper Admin Server via IPAuthenticationProvider. Default IP detection uses HTTP headers (X-Forwarded-For) and can be spoofed, leading to authentication bypass for IP-based auth. Admin commands like snapshot/restore may be exploited after bypass. Impact: potential inform...
CVE-2017-5637
CVE-2017-5637 affects Apache ZooKeeper prior to fixes in 3.4.10 and 3.5.3. The issue: two four-letter commands, wchp and wchc, are CPU-intensive and can cause a denial of service by overwhelming CPU on the server, rendering it unable to serve legitimate clients. Affected products/versions include...
CVE-2018-8012
CVE-2018-8012 affects Apache ZooKeeper: no authentication/authorization is enforced when a server attempts to join a quorum (before 3.4.10 and 3.5.0-alpha to 3.5.3-beta). This allows an arbitrary endpoint to join the cluster and propagate counterfeit changes to the leader. IBM and related advisor...
CVE-2016-5017
CVE-2016-5017 affects Apache ZooKeeper before 3.4.9 and 3.5.x before 3.5.3. The vulnerability is a buffer overflow in the C CLI shells (cli_st/cli_mt) caused by improper bounds checking when a long command string is used, potentially allowing arbitrary code execution. Remediation stated in the so...
CVE-2026-24308
The CVE concerns Apache ZooKeeper (versions 3.8.5 and 3.9.4) where ZKConfig improperly handles configuration values, causing sensitive client configuration data to be exposed in log files at INFO level across all platforms. Impact is exposure of sensitive information stored in client configuratio...
CVE-2026-24281
CVE-2026-24281 affects Apache ZooKeeper’s ZKTrustManager, where hostname verification falls back to reverse DNS (PTR) when IP SAN validation fails. An attacker who controls or spoofs PTR records and can present a certificate trusted by ZKTrustManager could impersonate ZooKeeper servers or clients...
CVE-2025-58457
CVE-2025-58457 is an issue in ZooKeeper AdminServer where an improper permission check allows an authenticated client with insufficient privileges to run snapshot and restore commands. Affected versions are Apache ZooKeeper 3.9.0 through 3.9.3; the fix is available in 3.9.4.Mitigation steps from ...