org.apache.zookeeper:zookeeper (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.zookeeper:zookeeper, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (9)
CVE-2024-51504 — CVSS 9.1 (critical): When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only…
CVE-2023-44981 — CVSS 9.1 (critical): Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in…
CVE-2017-5637 — CVSS 7.5 (high): Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused…
CVE-2018-8012 — CVSS 7.5 (high): No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha…
CVE-2026-24308 — CVSS 7.5 (high): Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose…
CVE-2026-24281 — CVSS 7.4 (high): Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers…
CVE-2019-0201 — CVSS 5.9 (medium): An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any…
CVE-2024-23944 — CVSS 5.3 (medium): Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child…
CVE-2025-58457 — CVSS 4.3 (medium): Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient…