Vulnerability identifier: #VU19227
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Kafka
Client/Desktop applications /
Messaging software
Vendor: Apache Foundation
Description
The vulnerability allows a remote authenticated attacker to bypass certain security restrictions.
The vulnerability exists due to absent access controls when executing actions reserved for the Broker. A remote authenticated attacker can manually create fetch requests and interfere with data replication process that can lead to data loss.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Kafka: 0.9.0.0 - 0.9.0.1, 0.10.0.0 - 0.10.2.1, 0.11.0.0 - 0.11.0.2, 1.0.0
External links
http://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef@%3Cusers.kafka.apache.org%3E
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.