This is an automated email from the ASF dual-hosted git repository.
ddiederen pushed a commit to branch website
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/website by this push:
new cfa3f59d1 Updated website content for CVE-2025-58457
cfa3f59d1 is described below
commit cfa3f59d1d724e3c48b6606ba69f7ff8fa8bc3f7
Author: Damien Diederen <[email protected]>
AuthorDate: Wed Sep 24 11:17:45 2025 +0200
Updated website content for CVE-2025-58457
---
src/main/resources/markdown/security.md | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/main/resources/markdown/security.md
b/src/main/resources/markdown/security.md
index 286949b4f..b28279c08 100644
--- a/src/main/resources/markdown/security.md
+++ b/src/main/resources/markdown/security.md
@@ -30,6 +30,7 @@ their <a href="https://www.apache.org/security/";>Web page</a>
for more informati
## Vulnerability reports
+* [CVE-2025-58457: Insufficient Permission Check in AdminServer
Snapshot/Restore Commands](#CVE-2025-58457)
* [CVE-2024-51504: Authentication bypass with IP-based authentication in Admin
Server](#CVE-2024-51504)
* [CVE-2024-23944: Information disclosure in persistent watcher
handling](#CVE-2024-23944)
* [CVE-2023-44981: Authorization bypass in SASL Quorum Peer
Authentication](#CVE-2023-44981)
@@ -39,6 +40,35 @@ their <a href="https://www.apache.org/security/";>Web
page</a> for more informati
* [CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli
shell](#CVE-2016-5017)
+<a name="CVE-2025-58457"></a>
+### CVE-2025-58457: Insufficient Permission Check in AdminServer
Snapshot/Restore Commands
+
+Severity: moderate
+
+Affected versions:
+
+- Apache ZooKeeper (`org.apache.zookeeper:zookeeper`) 3.9.0 before 3.9.4
+
+Description:
+
+Improper permission check in ZooKeeper AdminServer lets authorized clients to
run `snapshot` and `restore` command with insufficient permissions.
+
+This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4.
+
+Users are recommended to upgrade to version 3.9.4, which fixes the issue.
+
+The issue can be mitigated by disabling both commands (via
`admin.snapshot.enabled` and `admin.restore.enabled`), disabling the whole
AdminServer interface (via `admin.enableServer`), or ensuring that the root ACL
does not provide open permissions. (Note that ZooKeeper ACLs are not recursive,
so this does not impact operations on child nodes besides notifications from
recursive watches.)
+
+Credit:
+
+Damien Diederen <[email protected]> (reporter)
+
+References:
+
+[https://zookeeper.apache.org/](https://zookeeper.apache.org/)
+[https://www.cve.org/CVERecord?id=CVE-2025-58457](https://www.cve.org/CVERecord?id=CVE-2025-58457)
+
+
<a name="CVE-2024-51504"></a>
### CVE-2024-51504: Authentication bypass with IP-based authentication in
Admin Server
