DNA View

High Severity Vulnerability

This vulnerability has been rated as High severity. Immediate action is recommended.

CVE-2026-24281

High

Low Medium High Critical

7.4

CVSS Score

Published: Mar 07, 2026

Last Modified: Mar 10, 2026

CWE: CWE-295

Vulnerability Description

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

28 configuration(s) from 1 vendor(s)

zookeeper

Version:

3.8.0

CPE:

cpe:2.3:a:apache:zookeeper:3.8.0:*:*:*:*:*:*:*

zookeeper

Version:

3.9.2

CPE:

cpe:2.3:a:apache:zookeeper:3.9.2:*:*:*:*:*:*:*

zookeeper

Version:

3.8.1

CPE:

cpe:2.3:a:apache:zookeeper:3.8.1:*:*:*:*:*:*:*

zookeeper

Version:

3.8.4

CPE:

cpe:2.3:a:apache:zookeeper:3.8.4:*:*:*:*:*:*:*

zookeeper

Version:

3.8.2

CPE:

cpe:2.3:a:apache:zookeeper:3.8.2:*:*:*:*:*:*:*

zookeeper

Version:

3.9.4-2

CPE:

cpe:2.3:a:apache:zookeeper:3.9.4-2:*:*:*:*:*:*:*

zookeeper

Version:

3.9.2-0

CPE:

cpe:2.3:a:apache:zookeeper:3.9.2-0:*:*:*:*:*:*:*

zookeeper

Version:

3.9.3-0

CPE:

cpe:2.3:a:apache:zookeeper:3.9.3-0:*:*:*:*:*:*:*

zookeeper

Version:

3.8.1-0

CPE:

cpe:2.3:a:apache:zookeeper:3.8.1-0:*:*:*:*:*:*:*

zookeeper

Version:

3.8.1-1

CPE:

cpe:2.3:a:apache:zookeeper:3.8.1-1:*:*:*:*:*:*:*

zookeeper

Version:

3.9.3

CPE:

cpe:2.3:a:apache:zookeeper:3.9.3:*:*:*:*:*:*:*

zookeeper

Version:

3.9.0-1

CPE:

cpe:2.3:a:apache:zookeeper:3.9.0-1:*:*:*:*:*:*:*

zookeeper

Version:

3.8.2-0

CPE:

cpe:2.3:a:apache:zookeeper:3.8.2-0:*:*:*:*:*:*:*

zookeeper

Version:

3.9.1-0

CPE:

cpe:2.3:a:apache:zookeeper:3.9.1-0:*:*:*:*:*:*:*

zookeeper

Version:

3.9.1

CPE:

cpe:2.3:a:apache:zookeeper:3.9.1:*:*:*:*:*:*:*

zookeeper

Version:

3.9.4-1

CPE:

cpe:2.3:a:apache:zookeeper:3.9.4-1:*:*:*:*:*:*:*

zookeeper

Version:

3.9.4-0

CPE:

cpe:2.3:a:apache:zookeeper:3.9.4-0:*:*:*:*:*:*:*

zookeeper

Version:

3.9.0

CPE:

cpe:2.3:a:apache:zookeeper:3.9.0:*:*:*:*:*:*:*

zookeeper

Version:

3.9.3-2

CPE:

cpe:2.3:a:apache:zookeeper:3.9.3-2:*:*:*:*:*:*:*

zookeeper

Version:

3.8.3

CPE:

cpe:2.3:a:apache:zookeeper:3.8.3:*:*:*:*:*:*:*

zookeeper

Version:

3.8.4-0

CPE:

cpe:2.3:a:apache:zookeeper:3.8.4-0:*:*:*:*:*:*:*

zookeeper

Version:

3.8.3-0

CPE:

cpe:2.3:a:apache:zookeeper:3.8.3-0:*:*:*:*:*:*:*

zookeeper

Version:

3.8.5-0

CPE:

cpe:2.3:a:apache:zookeeper:3.8.5-0:*:*:*:*:*:*:*

zookeeper

Version:

3.8.0-1

CPE:

cpe:2.3:a:apache:zookeeper:3.8.0-1:*:*:*:*:*:*:*

zookeeper

Version:

3.9.0-0

CPE:

cpe:2.3:a:apache:zookeeper:3.9.0-0:*:*:*:*:*:*:*

zookeeper

Version:

3.9.4

CPE:

cpe:2.3:a:apache:zookeeper:3.9.4:*:*:*:*:*:*:*

zookeeper

Version:

3.8.5

CPE:

cpe:2.3:a:apache:zookeeper:3.8.5:*:*:*:*:*:*:*

zookeeper

Version:

3.9.3-1

CPE:

cpe:2.3:a:apache:zookeeper:3.9.3-1:*:*:*:*:*:*:*

This vulnerability affects 28 software configuration(s). Ensure you patch all affected systems.

References & Resources

Severity Details

7.4

out of 10.0

High

Weakness Type (CWE)

CWE-295 Top 25 #23

Improper Certificate Validation

Description: The product does not validate, or incorrectly validates, a certificate.
Typical Severity: High
OWASP Top 10: A02:2021-Cryptographic Failures
Abstraction Level: Base