cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-31141,https://securityvulnerability.io/vulnerability/CVE-2024-31141,"Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients","Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products. This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0. Users with affected applications are recommended to upgrade kafka-clients to version >=3.8.0, and set the JVM system property ""org.apache.kafka.automatic.config.providers=none"". Users of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config are also recommended to add appropriate ""allowlist.pattern"" and ""allowed.paths"" to restrict their operation to appropriate bounds. For users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property. For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.",Apache,Apache Kafka Clients,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-19T08:40:50.695Z,0 CVE-2024-27309,https://securityvulnerability.io/vulnerability/CVE-2024-27309,Kafka Migration Bug Affects ACL Enforcement,"While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal. When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or more that would be correct. The incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource. Once the migration is completed, there is no metadata loss (the ACLs all remain). The full impact depends on the ACLs in use. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. if DENY ACLs were configured, the impact could include confidentiality and integrity impact depending on the ACLs configured, as the DENY ACLs might be ignored due to this vulnerability during the migration period. ",Apache,Apache Kafka,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-04-12T06:58:45.134Z,0 CVE-2023-25194,https://securityvulnerability.io/vulnerability/CVE-2023-25194,"Apache Kafka Connect API: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration using Kafka Connect ","A security vulnerability exists in the Apache Kafka Connect API, allowing authenticated operators to manipulate connector configurations and introduce malicious JAAS settings. When exploiting this flaw, an attacker can connect to their own LDAP server through the Kafka Connect infrastructure, leading to potential remote code execution via deserialization. This vulnerability affects configurations starting from Apache Kafka Connect 2.3.0 and necessitates thorough validation of connector settings. Users are urged to utilize available security properties in newer versions and implement strict controls for connector configurations to mitigate associated risks.",Apache,Apache Kafka Connect API,8.8,HIGH,0.9607099890708923,false,,false,false,true,2023-12-28T04:24:02.000Z,true,false,false,,2023-02-07T20:15:00.000Z,0 CVE-2022-34917,https://securityvulnerability.io/vulnerability/CVE-2022-34917,Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers,"A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.",Apache,Apache Kafka,7.5,HIGH,0.0009200000204145908,false,,false,false,false,,,false,false,,2022-09-20T08:35:07.000Z,0 CVE-2021-38153,https://securityvulnerability.io/vulnerability/CVE-2021-38153,Timing Attack Vulnerability for Apache Kafka Connect and Clients,"Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.",Apache,Apache Kafka,5.9,MEDIUM,0.0010400000028312206,false,,false,false,false,,,false,false,,2021-09-22T09:05:11.000Z,0 CVE-2019-12399,https://securityvulnerability.io/vulnerability/CVE-2019-12399,,"When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.",Apache,Kafka,7.5,HIGH,0.0024800000246614218,false,,false,false,false,,,false,false,,2020-01-14T14:28:57.000Z,0 CVE-2018-17196,https://securityvulnerability.io/vulnerability/CVE-2018-17196,,"In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed.",Apache,Kafka,8.8,HIGH,0.0015300000086426735,false,,false,false,false,,,false,false,,2019-07-11T20:37:56.000Z,0 CVE-2017-12610,https://securityvulnerability.io/vulnerability/CVE-2017-12610,,"In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.",Apache,Apache Kafka,6.8,MEDIUM,0.0021200000774115324,false,,false,false,false,,,false,false,,2018-07-26T00:00:00.000Z,0 CVE-2018-1288,https://securityvulnerability.io/vulnerability/CVE-2018-1288,,"In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.",Apache,Apache Kafka,5.4,MEDIUM,0.0008800000068731606,false,,false,false,true,2020-02-20T03:36:11.000Z,true,false,false,,2018-07-26T00:00:00.000Z,0