cve-list.html - kafka-site - Git at Google

 <!--#include virtual="includes/_header.htm" -->
 <body class="page-cve-list ">
 <!--#include virtual="includes/_top.htm" -->
 <div class="content">
 	<!--#include virtual="includes/_nav.htm" -->
 	<div class="right">

 <h1>Apache Kafka Security Vulnerabilities</h1>

 This page lists all security vulnerabilities fixed in released versions of Apache Kafka.

 <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399">CVE-2019-12399</a>
 Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint</h2>

 <p>When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are
 configured with one or more config providers, and a connector is created/updated on
 that Connect cluster to use an externalized secret variable in a substring of a
 connector configuration property value (the externalized secret variable is not the
 whole configuration property value), then any client can issue a request to
 the same Connect cluster to obtain the connector's task configurations and
 the response will contain the plaintext secret rather than the externalized secrets variable.
 Users should upgrade to 2.0.2 or higher, 2.1.2 or higher, 2.2.2 or higher, or 2.3.1 or higher
 where this vulnerability has been fixed.</p>

 <table class="data-table">
 <tbody>
   <tr>
     <td>Versions affected</td>
     <td>2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0</td>
   </tr>
   <tr>
     <td>Fixed versions</td>
     <td>2.0.2, 2.1.2, 2.2.2, 2.3.1 and later</td>
   </tr>
   <tr>
     <td>Impact</td>
     <td>This issue could result in exposing externalized connector secrets.</td>
   </tr>
   <tr>
     <td>Issue announced</td>
     <td>13 Jan 2020</td>
   </tr>
 </tbody>
 </table>

 <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196">CVE-2018-17196</a>
 Authenticated clients with Write permission may bypass transaction/idempotent ACL validation</h2>
 <p>In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually
 craft a Produce request which bypasses transaction/idempotent ACL validation.
 Only authenticated clients with Write permission on the respective topics are
 able to exploit this vulnerability. Users should upgrade to 2.1.1 or later
 where this vulnerability has been fixed.</p>

 <table class="data-table">
 <tbody>
   <tr>
     <td>Versions affected</td>
     <td>0.11.0.0 to 2.1.0</td>
   </tr>
   <tr>
     <td>Fixed versions</td>
     <td>2.1.1 and later</td>
   </tr>
   <tr>
     <td>Impact</td>
     <td>This issue could result in privilege escalation.</td>
   </tr>
   <tr>
     <td>Issue announced</td>
     <td>10 July 2019</td>
   </tr>
 </tbody>
 </table>

 <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288">CVE-2018-1288</a>
 Authenticated Kafka clients may interfere with data replication</h2>

 <p>Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request
 interfering with data replication, resulting in data loss.</p>

 <table class="data-table">
 <tbody>
   <tr>
     <td>Versions affected</td>
     <td>0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0</td>
   </tr>
   <tr>
     <td>Fixed versions</td>
     <td>0.10.2.2, 0.11.0.3, 1.0.1, 1.1.0</td>
   </tr>
   <tr>
     <td>Impact</td>
     <td>This issue could potentially lead to data loss.</td>
   </tr>
   <tr>
     <td>Issue announced</td>
     <td>26 July 2018</td>
   </tr>
 </tbody>
 </table>


 <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610">CVE-2017-12610</a>
 Authenticated Kafka clients may impersonate other users</h2>

 <p>Authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM
 authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.</p>

 <table class="data-table">
 <tbody>
   <tr>
     <td>Versions affected</td>
     <td>0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1</td>
   </tr>
   <tr>
     <td>Fixed versions</td>
     <td>0.10.2.2, 0.11.0.2, 1.0.0</td>
   </tr>
   <tr>
     <td>Impact</td>
     <td>This issue could result in privilege escalation.</td>
   </tr>
   <tr>
     <td>Issue announced</td>
     <td>26 July 2018</td>
   </tr>
 </tbody>
 </table>


 <!--#include virtual="includes/_footer.htm" -->
	<!--#include virtual="includes/_header.htm" -->
	<body class="page-cve-list ">
	<!--#include virtual="includes/_top.htm" -->
	<div class="content">
	<!--#include virtual="includes/_nav.htm" -->
	<div class="right">

	<h1>Apache Kafka Security Vulnerabilities</h1>

	This page lists all security vulnerabilities fixed in released versions of Apache Kafka.

	<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12399">CVE-2019-12399</a>
	Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint</h2>

	<p>When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are
	configured with one or more config providers, and a connector is created/updated on
	that Connect cluster to use an externalized secret variable in a substring of a
	connector configuration property value (the externalized secret variable is not the
	whole configuration property value), then any client can issue a request to
	the same Connect cluster to obtain the connector's task configurations and
	the response will contain the plaintext secret rather than the externalized secrets variable.
	Users should upgrade to 2.0.2 or higher, 2.1.2 or higher, 2.2.2 or higher, or 2.3.1 or higher
	where this vulnerability has been fixed.</p>

	<table class="data-table">
	<tbody>
	<tr>
	<td>Versions affected</td>
	<td>2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0</td>
	</tr>
	<tr>
	<td>Fixed versions</td>
	<td>2.0.2, 2.1.2, 2.2.2, 2.3.1 and later</td>
	</tr>
	<tr>
	<td>Impact</td>
	<td>This issue could result in exposing externalized connector secrets.</td>
	</tr>
	<tr>
	<td>Issue announced</td>
	<td>13 Jan 2020</td>
	</tr>
	</tbody>
	</table>

	<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196">CVE-2018-17196</a>
	Authenticated clients with Write permission may bypass transaction/idempotent ACL validation</h2>
	<p>In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually
	craft a Produce request which bypasses transaction/idempotent ACL validation.
	Only authenticated clients with Write permission on the respective topics are
	able to exploit this vulnerability. Users should upgrade to 2.1.1 or later
	where this vulnerability has been fixed.</p>

	<table class="data-table">
	<tbody>
	<tr>
	<td>Versions affected</td>
	<td>0.11.0.0 to 2.1.0</td>
	</tr>
	<tr>
	<td>Fixed versions</td>
	<td>2.1.1 and later</td>
	</tr>
	<tr>
	<td>Impact</td>
	<td>This issue could result in privilege escalation.</td>
	</tr>
	<tr>
	<td>Issue announced</td>
	<td>10 July 2019</td>
	</tr>
	</tbody>
	</table>

	<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288">CVE-2018-1288</a>
	Authenticated Kafka clients may interfere with data replication</h2>

	<p>Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request
	interfering with data replication, resulting in data loss.</p>

	<table class="data-table">
	<tbody>
	<tr>
	<td>Versions affected</td>
	<td>0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0</td>
	</tr>
	<tr>
	<td>Fixed versions</td>
	<td>0.10.2.2, 0.11.0.3, 1.0.1, 1.1.0</td>
	</tr>
	<tr>
	<td>Impact</td>
	<td>This issue could potentially lead to data loss.</td>
	</tr>
	<tr>
	<td>Issue announced</td>
	<td>26 July 2018</td>
	</tr>
	</tbody>
	</table>


	<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610">CVE-2017-12610</a>
	Authenticated Kafka clients may impersonate other users</h2>

	<p>Authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM
	authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.</p>

	<table class="data-table">
	<tbody>
	<tr>
	<td>Versions affected</td>
	<td>0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1</td>
	</tr>
	<tr>
	<td>Fixed versions</td>
	<td>0.10.2.2, 0.11.0.2, 1.0.0</td>
	</tr>
	<tr>
	<td>Impact</td>
	<td>This issue could result in privilege escalation.</td>
	</tr>
	<tr>
	<td>Issue announced</td>
	<td>26 July 2018</td>
	</tr>
	</tbody>
	</table>


	<!--#include virtual="includes/_footer.htm" -->