Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-v1sz-wxb7-tkfh

Summary

Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands
Improper permission checks in the AdminServer allow an authenticated client with insufficient privileges to invoke the `snapshot` and `restore` commands. The intended requirement is authentication and authorization on the root path (`/`) with **ALL** permission for these operations; however, affected versions permit invocation without that level of authorization. The primary risk is disclosure of cluster state via snapshots to a lesser-privileged client.

*   **Affected:** `org.apache.zookeeper:zookeeper` 3.9.0 through 3.9.3.
*   **Fixed:** 3.9.4 (ZOOKEEPER-4964 “check permissions individually during admin server auth”).
*   **Mitigations:**
*   Disable both commands (`admin.snapshot.enabled`, `admin.restore.enabled`).
*   Disable AdminServer (`admin.enableServer`).
*   Ensure the root ACL is not open; note that ZooKeeper ACLs are not recursive.
*   Upgrade to 3.9.4.

Aliases

alias	CVE-2025-58457

alias	GHSA-2hmj-97jw-28jh

Fixed_packages

url	pkg:deb/debian/zookeeper@0?distro=trixie
purl	pkg:deb/debian/zookeeper@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/zookeeper@0%3Fdistro=trixie

url pkg:deb/debian/zookeeper@3.4.13-6%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/zookeeper@3.4.13-6%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5pdc-3tk8-8bag

vulnerability	VCID-9kth-n6wc-a7d2

vulnerability	VCID-jy5e-8syt-bueu

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/zookeeper@3.4.13-6%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/zookeeper@3.8.0-11%2Bdeb12u2?distro=trixie

purl pkg:deb/debian/zookeeper@3.8.0-11%2Bdeb12u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9kth-n6wc-a7d2

vulnerability	VCID-jy5e-8syt-bueu

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/zookeeper@3.8.0-11%252Bdeb12u2%3Fdistro=trixie

url	pkg:deb/debian/zookeeper@3.9.4-1?distro=trixie
purl	pkg:deb/debian/zookeeper@3.9.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/zookeeper@3.9.4-1%3Fdistro=trixie

url	pkg:deb/debian/zookeeper@3.9.5-1
purl	pkg:deb/debian/zookeeper@3.9.5-1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/zookeeper@3.9.5-1

url	pkg:deb/debian/zookeeper@3.9.5-1?distro=trixie
purl	pkg:deb/debian/zookeeper@3.9.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/zookeeper@3.9.5-1%3Fdistro=trixie

url pkg:maven/org.apache.zookeeper/zookeeper@3.9.4

purl pkg:maven/org.apache.zookeeper/zookeeper@3.9.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-jy5e-8syt-bueu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.zookeeper/zookeeper@3.9.4

Affected_packages

url pkg:deb/debian/zookeeper@3.9.3-1%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/zookeeper@3.9.3-1%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9kth-n6wc-a7d2

vulnerability	VCID-jy5e-8syt-bueu

vulnerability	VCID-v1sz-wxb7-tkfh

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/zookeeper@3.9.3-1%252Bdeb13u1%3Fdistro=trixie

url pkg:deb/debian/zookeeper@3.9.3-1%2Bdeb13u1

purl pkg:deb/debian/zookeeper@3.9.3-1%2Bdeb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9kth-n6wc-a7d2

vulnerability	VCID-jy5e-8syt-bueu

vulnerability	VCID-v1sz-wxb7-tkfh

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/zookeeper@3.9.3-1%252Bdeb13u1

url pkg:maven/org.apache.zookeeper/zookeeper@3.9.0

purl pkg:maven/org.apache.zookeeper/zookeeper@3.9.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5pdc-3tk8-8bag

vulnerability	VCID-9kth-n6wc-a7d2

vulnerability	VCID-amrj-mbhn-97ez

vulnerability	VCID-jy5e-8syt-bueu

vulnerability	VCID-k5d7-jzkg-4yda

vulnerability	VCID-v1sz-wxb7-tkfh

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.zookeeper/zookeeper@3.9.0

url pkg:maven/org.apache.zookeeper/zookeeper@3.9.1

purl pkg:maven/org.apache.zookeeper/zookeeper@3.9.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5pdc-3tk8-8bag

vulnerability	VCID-jy5e-8syt-bueu

vulnerability	VCID-k5d7-jzkg-4yda

vulnerability	VCID-v1sz-wxb7-tkfh

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.zookeeper/zookeeper@3.9.1

url pkg:maven/org.apache.zookeeper/zookeeper@3.9.2

purl pkg:maven/org.apache.zookeeper/zookeeper@3.9.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-jy5e-8syt-bueu

vulnerability	VCID-k5d7-jzkg-4yda

vulnerability	VCID-v1sz-wxb7-tkfh

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.zookeeper/zookeeper@3.9.2

url pkg:maven/org.apache.zookeeper/zookeeper@3.9.3

purl pkg:maven/org.apache.zookeeper/zookeeper@3.9.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-jy5e-8syt-bueu

vulnerability	VCID-v1sz-wxb7-tkfh

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.zookeeper/zookeeper@3.9.3

References

reference_url

http://github.com/apache/zookeeper/commit/71e173fcbcc9deb784081cf867bd045df3c32635

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://github.com/apache/zookeeper/commit/71e173fcbcc9deb784081cf867bd045df3c32635

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58457.json

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58457.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-58457

reference_id

reference_type

scores

value	0.00112
scoring_system	epss
scoring_elements	0.29336
published_at	2026-06-08T12:55:00Z

value	0.00112
scoring_system	epss
scoring_elements	0.29439
published_at	2026-06-05T12:55:00Z

value	0.00112
scoring_system	epss
scoring_elements	0.29403
published_at	2026-06-06T12:55:00Z

value	0.00112
scoring_system	epss
scoring_elements	0.29369
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-58457

reference_url

https://github.com/apache/zookeeper

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/zookeeper

reference_url

https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-24T13:47:31Z/

url

https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx

reference_url

https://zookeeper.apache.org/doc/current/zookeeperSnapshotAndRestore.html

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://zookeeper.apache.org/doc/current/zookeeperSnapshotAndRestore.html

reference_url

https://zookeeper.apache.org/doc/r3.9.4/releasenotes.html

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://zookeeper.apache.org/doc/r3.9.4/releasenotes.html

reference_url

https://zookeeper.apache.org/security.html#CVE-2025-58457

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://zookeeper.apache.org/security.html#CVE-2025-58457

reference_url

http://www.openwall.com/lists/oss-security/2025/09/24/10

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2025/09/24/10

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116339
reference_id	1116339
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116339

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2397773
reference_id	2397773
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2397773

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-58457

reference_id

CVE-2025-58457

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-58457

reference_url

https://github.com/advisories/GHSA-2hmj-97jw-28jh

reference_id

GHSA-2hmj-97jw-28jh

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2hmj-97jw-28jh

Weaknesses

cwe_id	280
name	Improper Handling of Insufficient Permissions or Privileges
description	The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v1sz-wxb7-tkfh

Vulnerability Instance