cve-list.html - kafka-site - Git at Google

 <!--#include virtual="includes/_header.htm" -->
 <!--#include virtual="includes/_top.htm" -->
 <div class="content">
 	<!--#include virtual="includes/_nav.htm" -->
 	<div class="right">

 <h1>Apache Kafka Security Vulnerabilities</h1>

 This page lists all security vulnerabilities fixed in released versions of Apache Kafka.

 <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196">CVE-2018-17196</a>
 Authenticated clients with Write permission may bypass transaction/idempotent ACL validation</h2>
 <p>In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually
 craft a Produce request which bypasses transaction/idempotent ACL validation.
 Only authenticated clients with Write permission on the respective topics are
 able to exploit this vulnerability. Users should upgrade to 2.1.1 or later
 where this vulnerability has been fixed.</p>

 <table class="data-table">
 <tbody>
   <tr>
     <td>Versions affected</td>
     <td>0.11.0.0 to 2.1.0</td>
   </tr>
   <tr>
     <td>Fixed versions</td>
     <td>2.1.1 and later</td>
   </tr>
   <tr>
     <td>Impact</td>
     <td>This issue could result in privilege escalation.</td>
   </tr>
   <tr>
     <td>Issue announced</td>
     <td>10 July 2019</td>
   </tr>
 </tbody>
 </table>

 <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288">CVE-2018-1288</a>
 Authenticated Kafka clients may interfere with data replication</h2>

 <p>Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request
 interfering with data replication, resulting in data loss.</p>

 <table class="data-table">
 <tbody>
   <tr>
     <td>Versions affected</td>
     <td>0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0</td>
   </tr>
   <tr>
     <td>Fixed versions</td>
     <td>0.10.2.2, 0.11.0.3, 1.0.1, 1.1.0</td>
   </tr>
   <tr>
     <td>Impact</td>
     <td>This issue could potentially lead to data loss.</td>
   </tr>
   <tr>
     <td>Issue announced</td>
     <td>26 July 2018</td>
   </tr>
 </tbody>
 </table>


 <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610">CVE-2017-12610</a>
 Authenticated Kafka clients may impersonate other users</h2>

 <p>Authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM
 authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.</p>

 <table class="data-table">
 <tbody>
   <tr>
     <td>Versions affected</td>
     <td>0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1</td>
   </tr>
   <tr>
     <td>Fixed versions</td>
     <td>0.10.2.2, 0.11.0.2, 1.0.0</td>
   </tr>
   <tr>
     <td>Impact</td>
     <td>This issue could result in privilege escalation.</td>
   </tr>
   <tr>
     <td>Issue announced</td>
     <td>26 July 2018</td>
   </tr>
 </tbody>
 </table>


 <!--#include virtual="includes/_footer.htm" -->
	<!--#include virtual="includes/_header.htm" -->
	<!--#include virtual="includes/_top.htm" -->
	<div class="content">
	<!--#include virtual="includes/_nav.htm" -->
	<div class="right">

	<h1>Apache Kafka Security Vulnerabilities</h1>

	This page lists all security vulnerabilities fixed in released versions of Apache Kafka.

	<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196">CVE-2018-17196</a>
	Authenticated clients with Write permission may bypass transaction/idempotent ACL validation</h2>
	<p>In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually
	craft a Produce request which bypasses transaction/idempotent ACL validation.
	Only authenticated clients with Write permission on the respective topics are
	able to exploit this vulnerability. Users should upgrade to 2.1.1 or later
	where this vulnerability has been fixed.</p>

	<table class="data-table">
	<tbody>
	<tr>
	<td>Versions affected</td>
	<td>0.11.0.0 to 2.1.0</td>
	</tr>
	<tr>
	<td>Fixed versions</td>
	<td>2.1.1 and later</td>
	</tr>
	<tr>
	<td>Impact</td>
	<td>This issue could result in privilege escalation.</td>
	</tr>
	<tr>
	<td>Issue announced</td>
	<td>10 July 2019</td>
	</tr>
	</tbody>
	</table>

	<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288">CVE-2018-1288</a>
	Authenticated Kafka clients may interfere with data replication</h2>

	<p>Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request
	interfering with data replication, resulting in data loss.</p>

	<table class="data-table">
	<tbody>
	<tr>
	<td>Versions affected</td>
	<td>0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0</td>
	</tr>
	<tr>
	<td>Fixed versions</td>
	<td>0.10.2.2, 0.11.0.3, 1.0.1, 1.1.0</td>
	</tr>
	<tr>
	<td>Impact</td>
	<td>This issue could potentially lead to data loss.</td>
	</tr>
	<tr>
	<td>Issue announced</td>
	<td>26 July 2018</td>
	</tr>
	</tbody>
	</table>


	<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610">CVE-2017-12610</a>
	Authenticated Kafka clients may impersonate other users</h2>

	<p>Authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM
	authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.</p>

	<table class="data-table">
	<tbody>
	<tr>
	<td>Versions affected</td>
	<td>0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1</td>
	</tr>
	<tr>
	<td>Fixed versions</td>
	<td>0.10.2.2, 0.11.0.2, 1.0.0</td>
	</tr>
	<tr>
	<td>Impact</td>
	<td>This issue could result in privilege escalation.</td>
	</tr>
	<tr>
	<td>Issue announced</td>
	<td>26 July 2018</td>
	</tr>
	</tbody>
	</table>


	<!--#include virtual="includes/_footer.htm" -->