CVE Daily
← All tags

Tag: Apache ZooKeeper

All CVEs associated with "Apache ZooKeeper". Page 1/1 • 27 CVEs.

About “Apache ZooKeeper”

A curated feed of “Apache ZooKeeper”-related CVEs appears below. We currently track 27 CVEs for this tag (all time). In the last 365 days, 5 were published. Average CVSS is 7.0 (all time; 6.1 over 365d), and 59% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-532 - Insertion of Sensitive Information into Log File, CWE-129 - Improper Validation of Array Index.

In our taxonomy this topic maps to a LOW impact class. Message brokers and streaming platforms require strict ACLs and TLS. Patch brokers and clients, isolate management ports, limit anonymous access, and set resource limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: zookeeper

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
3.93.9.5Unavailable-
3.83.8.6Unavailable-
3.73.7.2 Expired
3.63.6.4 Expired
3.53.5.10 Expired
3.43.4.14 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Apache ZooKeeper”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-04-27
Medium

CVE-2026-40557

Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description:  In production deployments where an admin…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2026-03-07
High

CVE-2026-24308

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the cli…

CVSS: 7.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
High

CVE-2026-24281

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper ser…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2026-01-13
Medium

CVE-2026-0528

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed paylo…

CVSS: 6.5 CWE: CWE-129 - Improper Validation of Array Index View on NVD
2025-09-24
Medium

CVE-2025-58457

Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3…

CVSS: 4.3 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
2024-11-07
Critical

CVE-2024-51504

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin S…

CVSS: 9.1 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2024-07-24
High

CVE-2024-39676

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot. This issue affects Apache Pinot: from 0.1 before 1.0.0. Users are recommended to upgrade to version 1.0.0 a…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-04-12
High

CVE-2024-27309

While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administ…

CVSS: 7.4 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-03-15
Medium

CVE-2024-23944

Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command)…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2024-02-09
High

CVE-2023-50298

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-10-11
Critical

CVE-2023-44981

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done…

CVSS: 9.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2022-08-25
High

CVE-2021-25642

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run a…

CVSS: 8.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2022-05-23
Low

CVE-2022-1816

A vulnerability, which was classified as problematic, has been found in Zoo Management System 1.0. Affected by this issue is /zoo/admin/public_html/view_accounts?type=zookeeper of the content module.…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-09-07
High

CVE-2021-36162

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) an…

CVSS: 8.8 CWE: N/A View on NVD
2019-12-30
Medium

CVE-2019-15024

In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom…

CVSS: 6.5 CWE: N/A View on NVD
2019-12-10
Critical

CVE-2019-4244

IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-…

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2019-11-13
Critical

CVE-2019-5029

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted int…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2019-05-23
Medium

CVE-2019-0201

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and retu…

CVSS: 5.9 CWE: CWE-862 - Missing Authorization View on NVD
2018-09-19
Medium

CVE-2018-3825

In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten,…

CVSS: 5.9 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2018-05-21
High

CVE-2018-8012

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could joi…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2018-8010

This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinc…

CVSS: 5.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2017-10-10
High

CVE-2017-5637

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2017-09-29
Medium

CVE-2017-8444

The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the clien…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2017-07-06
Critical

CVE-2017-6711

A vulnerability in the Ultra Automation Service (UAS) of the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device. The vulne…

CVSS: 9.1 CWE: CWE-287 - Improper Authentication View on NVD
2016-09-21
High

CVE-2016-5017

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command str…

CVSS: 8.1 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2015-12-21
High

CVE-2015-1836

Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper c…

CVSS: 7.3 CWE: CWE-284 - Improper Access Control View on NVD
2014-04-17
Low

CVE-2014-0085

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been…

CVSS: 2.1 CWE: CWE-255 View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox