| <!--#include virtual="includes/_header.htm" --> |
| <body class="page-cve-list "> |
| <!--#include virtual="includes/_top.htm" --> |
| <div class="content"> |
| <!--#include virtual="includes/_nav.htm" --> |
| <div class="right"> |
| |
| <h1>Apache Kafka Security Vulnerabilities</h1> |
| |
| This page lists all security vulnerabilities fixed in released versions of Apache Kafka. |
| |
| <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399">CVE-2019-12399</a> |
| Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint</h2> |
| |
| <p>When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are |
| configured with one or more config providers, and a connector is created/updated on |
| that Connect cluster to use an externalized secret variable in a substring of a |
| connector configuration property value (the externalized secret variable is not the |
| whole configuration property value), then any client can issue a request to |
| the same Connect cluster to obtain the connector's task configurations and |
| the response will contain the plaintext secret rather than the externalized secrets variable. |
| Users should upgrade to 2.2.2 or higher, or 2.3.1 or higher |
| where this vulnerability has been fixed.</p> |
| |
| <table class="data-table"> |
| <tbody> |
| <tr> |
| <td>Versions affected</td> |
| <td>2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0</td> |
| </tr> |
| <tr> |
| <td>Fixed versions</td> |
| <td>2.2.2, 2.3.1 and later</td> |
| </tr> |
| <tr> |
| <td>Impact</td> |
| <td>This issue could result in exposing externalized connector secrets.</td> |
| </tr> |
| <tr> |
| <td>Issue announced</td> |
| <td>13 Jan 2020</td> |
| </tr> |
| </tbody> |
| </table> |
| |
| <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196">CVE-2018-17196</a> |
| Authenticated clients with Write permission may bypass transaction/idempotent ACL validation</h2> |
| <p>In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually |
| craft a Produce request which bypasses transaction/idempotent ACL validation. |
| Only authenticated clients with Write permission on the respective topics are |
| able to exploit this vulnerability. Users should upgrade to 2.1.1 or later |
| where this vulnerability has been fixed.</p> |
| |
| <table class="data-table"> |
| <tbody> |
| <tr> |
| <td>Versions affected</td> |
| <td>0.11.0.0 to 2.1.0</td> |
| </tr> |
| <tr> |
| <td>Fixed versions</td> |
| <td>2.1.1 and later</td> |
| </tr> |
| <tr> |
| <td>Impact</td> |
| <td>This issue could result in privilege escalation.</td> |
| </tr> |
| <tr> |
| <td>Issue announced</td> |
| <td>10 July 2019</td> |
| </tr> |
| </tbody> |
| </table> |
| |
| <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288">CVE-2018-1288</a> |
| Authenticated Kafka clients may interfere with data replication</h2> |
| |
| <p>Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request |
| interfering with data replication, resulting in data loss.</p> |
| |
| <table class="data-table"> |
| <tbody> |
| <tr> |
| <td>Versions affected</td> |
| <td>0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0</td> |
| </tr> |
| <tr> |
| <td>Fixed versions</td> |
| <td>0.10.2.2, 0.11.0.3, 1.0.1, 1.1.0</td> |
| </tr> |
| <tr> |
| <td>Impact</td> |
| <td>This issue could potentially lead to data loss.</td> |
| </tr> |
| <tr> |
| <td>Issue announced</td> |
| <td>26 July 2018</td> |
| </tr> |
| </tbody> |
| </table> |
| |
| |
| <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610">CVE-2017-12610</a> |
| Authenticated Kafka clients may impersonate other users</h2> |
| |
| <p>Authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM |
| authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.</p> |
| |
| <table class="data-table"> |
| <tbody> |
| <tr> |
| <td>Versions affected</td> |
| <td>0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1</td> |
| </tr> |
| <tr> |
| <td>Fixed versions</td> |
| <td>0.10.2.2, 0.11.0.2, 1.0.0</td> |
| </tr> |
| <tr> |
| <td>Impact</td> |
| <td>This issue could result in privilege escalation.</td> |
| </tr> |
| <tr> |
| <td>Issue announced</td> |
| <td>26 July 2018</td> |
| </tr> |
| </tbody> |
| </table> |
| |
| |
| <!--#include virtual="includes/_footer.htm" --> |