Bug 2397773 (CVE-2025-58457) - CVE-2025-58457 org.apache.zookeeper/zookeeper: Apache ZooKeeper: Insufficient Permission Check
Summary: CVE-2025-58457 org.apache.zookeeper/zookeeper: Apache ZooKeeper: Insufficient...
Keywords:
Status: NEW
Alias: CVE-2025-58457
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-24 10:01 UTC by OSIDB Bzimport
Modified: 2025-09-24 21:56 UTC (History)
46 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-24 10:01:17 UTC 
Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions.

This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4.

Users are recommended to upgrade to version 3.9.4, which fixes the issue.

The issue can be mitigated by disabling both commands (via admin.snapshot.enabled and admin.restore.enabled), disabling the whole AdminServer interface (via admin.enableServer), or ensuring that the root ACL does not provide open permissions. (Note that ZooKeeper ACLs are not recursive, so this does not impact operations on child nodes besides notifications from recursive watches.)
Note You need to log in before you can comment on or make changes to this bug.