Lucene search
K
ApacheZookeeper

11 matches found

CVE
CVE
added 2024/03/15 10:26 a.m.4414 views

CVE-2024-23944

CVE-2024-23944 is a ZooKeeper information-disclosure vulnerability involving persistent watchers. The issue arises when a watcher attached to a parent znode to which the attacker already has access is triggered; the server does not perform an ACL check at watch-trigger time, exposing the full pat...

5.3CVSS6AI score0.00246EPSS
CVE
CVE
added 2023/10/11 11:55 a.m.532 views

CVE-2023-44981

CVE-2023-44981 (Apache ZooKeeper) : Authorization bypass through a user-controlled SASL ID when quorum peer authentication is enabled (quorum.auth.enableSasl=true). If the instance part of the SASL ID is missing (e.g., [email protected]), authorization checks are skipped, allowing an arbitrary endp...

9.1CVSS9.3AI score0.01713EPSS
CVE
CVE
added 2021/03/09 6:35 p.m.483 views

CVE-2021-21295

Netty CVE-2021-21295 affects io.netty:netty-codec-http2 prior to 4.1.60.Final, where Content-Length validation can be bypassed when HTTP/2 is downgraded to HTTP/1.1 in proxied scenarios, enabling HTTP request smuggling. The issue occurs when HTTP2MultiplexCodec/Http2FrameCodec are used and Http2S...

5.9CVSS6.7AI score0.18891EPSS
CVE
CVE
added 2019/05/23 1:42 p.m.254 views

CVE-2019-0201

CVE-2019-0201 affects Apache ZooKeeper up to versions 3.4.13 and 3.5.4-beta, where getACL() does not enforce permissions and returns the ACL Id in plaintext. When Digest Authentication is in use, the unsalted hash value contained in the Id field can be disclosed to unauthenticated or unprivileged...

5.9CVSS5.8AI score0.09634EPSS
CVE
CVE
added 2024/11/07 9:52 a.m.180 views

CVE-2024-51504

CVE-2024-51504 affects ZooKeeper Admin Server via IPAuthenticationProvider. Default IP detection uses HTTP headers (X-Forwarded-For) and can be spoofed, leading to authentication bypass for IP-based auth. Admin commands like snapshot/restore may be exploited after bypass. Impact: potential inform...

9.1CVSS9.2AI score0.00924EPSS
CVE
CVE
added 2017/10/10 1:0 a.m.158 views

CVE-2017-5637

CVE-2017-5637 affects Apache ZooKeeper prior to fixes in 3.4.10 and 3.5.3. The issue: two four-letter commands, wchp and wchc, are CPU-intensive and can cause a denial of service by overwhelming CPU on the server, rendering it unable to serve legitimate clients. Affected products/versions include...

7.5CVSS7.4AI score0.73654EPSS
CVE
CVE
added 2018/05/21 7:0 p.m.127 views

CVE-2018-8012

CVE-2018-8012 affects Apache ZooKeeper: no authentication/authorization is enforced when a server attempts to join a quorum (before 3.4.10 and 3.5.0-alpha to 3.5.3-beta). This allows an arbitrary endpoint to join the cluster and propagate counterfeit changes to the leader. IBM and related advisor...

7.5CVSS7.3AI score0.08724EPSS
CVE
CVE
added 2016/09/21 2:0 p.m.109 views

CVE-2016-5017

CVE-2016-5017 affects Apache ZooKeeper before 3.4.9 and 3.5.x before 3.5.3. The vulnerability is a buffer overflow in the C CLI shells (cli_st/cli_mt) caused by improper bounds checking when a long command string is used, potentially allowing arbitrary code execution. Remediation stated in the so...

8.1CVSS7.9AI score0.07821EPSS
CVE
CVE
added 2026/03/07 8:51 a.m.75 views

CVE-2026-24308

CVE-2026-24308 affects Apache ZooKeeper: improper handling of configuration values in ZKConfig can expose sensitive client configuration in logs at INFO level. Affected: ZooKeeper 3.8.5 and 3.9.4 on all platforms. Impact: potential leakage of sensitive config data in production logs. Mitigation: ...

7.5CVSS5.8AI score0.01146EPSS
CVE
CVE
added 2026/03/07 8:50 a.m.53 views

CVE-2026-24281

CVE-2026-24281 — Apache ZooKeeper ZKTrustManager reverse DNS fallback . The vulnerability arises when IP SAN validation fails and ZKTrustManager falls back to PTR-based name resolution, enabling attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with certificat...

7.4CVSS5.8AI score0.00617EPSS
CVE
CVE
added 2025/09/24 9:29 a.m.30 views

CVE-2025-58457

CVE-2025-58457 is an issue in ZooKeeper AdminServer where an improper permission check allows an authenticated client with insufficient privileges to run snapshot and restore commands. Affected versions are Apache ZooKeeper 3.9.0 through 3.9.3; the fix is available in 3.9.4.Mitigation steps from ...

4.3CVSS6.9AI score0.00294EPSS