CVE-2018-17196

8.8HIGH

Key Information:

Vendor
Apache
Status
Kafka
Vendor
CVE Published:
11 July 2019

Summary

In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed.

Affected Version(s)

Kafka 0.11.0.0 to 2.1.0

References

http://www.securityfocus.com/bid/109139
vdb-entryx_refsource_BID
https://lists.apache.org/thread.html/d1581fb6464c9bec8a72...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.