Vulnerability in Apache Kafka Allows Bypass of ACL Validation
CVE-2018-17196

8.8HIGH

Key Information:

Vendor

Apache
Status
Kafka
Vendor
CVE Published:
11 July 2019

What is CVE-2018-17196?

Certain versions of Apache Kafka are vulnerable to an authorization bypass vulnerability, where authenticated clients can craft specific Produce requests that circumvent transaction and idempotent ACL validation. This issue allows users with Write permissions on designated topics to potentially manipulate or exploit the system without proper authorization checks. It is crucial for organizations using affected versions to upgrade to 2.1.1 or later, in which this vulnerability has been addressed.

Affected Version(s)

Kafka 0.11.0.0 to 2.1.0

References

http://www.securityfocus.com/bid/109139
vdb-entryx_refsource_BID
https://lists.apache.org/thread.html/d1581fb6464c9bec8a72...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-17196 : Vulnerability in Apache Kafka Allows Bypass of ACL Validation