Detections
Analytics
Apache ZooKeeper 3.9.x < 3.9.4 Improper Permission Check
medium Nessus Plugin ID 301977
Synopsis
The remote Apache ZooKeeper server is affected by an improper permission check vulnerability.Description
The version of Apache ZooKeeper listening on the remote host is 3.9.x prior to 3.9.4. It is, therefore, affected by an improper permission check vulnerability:- Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore commands with insufficient permissions. The issue can be mitigated by disabling both commands (via admin.snapshot.enabled and admin.restore.enabled), disabling the whole AdminServer interface (via admin.enableServer), or ensuring that the root ACL does not provide open permissions. (CVE-2025-58457)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update to Apache ZooKeeper 3.9.4 or later.See Also
https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx
Plugin Details
Severity: Medium
ID: 301977
File Name: apache_zookeeper_3_9_4.nasl
Version: 1.1
Type: combined
Family: Misc.
Published: 3/12/2026
Updated: 3/12/2026
Configuration: Enable paranoid mode, Enable thorough checks (optional)
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 1.4
CVSS v2
Risk Factor: Medium
Base Score: 4
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS Score Source: CVE-2025-58457
CVSS v3
Risk Factor: Medium
Base Score: 4.3
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Vulnerability Information
CPE: cpe:/a:apache:zookeeper
Required KB Items: Settings/ParanoidReport, installed_sw/Apache Zookeeper
Patch Publication Date: 9/24/2025
Vulnerability Publication Date: 9/24/2025
Reference Information
CVE: CVE-2025-58457