oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-58457: Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands

From: Damien Diederen <ddiederen () apache org>
Date: Wed, 24 Sep 2025 10:59:05 +0200

Severity: moderate 

Affected versions:

- Apache ZooKeeper (org.apache.zookeeper:zookeeper) 3.9.0 before 3.9.4

Description:

Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with 
insufficient permissions.

This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4.

Users are recommended to upgrade to version 3.9.4, which fixes the issue.

The issue can be mitigated by disabling both commands (via admin.snapshot.enabled and admin.restore.enabled), disabling 
the whole AdminServer interface (via admin.enableServer), or ensuring that the root ACL does not provide open 
permissions. (Note that ZooKeeper ACLs are not recursive, so this does not impact operations on child nodes besides 
notifications from recursive watches.)

Credit:

Damien Diederen <ddiederen () apache org> (reporter)

References:

https://zookeeper.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-58457
Previous By Date Next
Previous By Thread Next

Current thread: