Kafka
CVE-2024-27309
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (apache) · only source for this CVE.
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 33 maven packages depend on org.apache.kafka:kafka-metadata (5 direct, 28 indirect)
Ecosystem-wide dependent count for version 3.5.0.
DescriptionCVE.org
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced.
Two preconditions are needed to trigger the bug:
- The administrator decides to remove an ACL
- The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal.
When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or more that would be correct.
The incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource. Once the migration is completed, there is no metadata loss (the ACLs all remain).
The full impact depends on the ACLs in use. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. if DENY ACLs were configured, the impact could include confidentiality and integrity impact depending on the ACLs configured, as the DENY ACLs might be ignored due to this vulnerability during the migration period.
AnalysisAI
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal. When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or more that would be correct. The incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource. Once the migration is completed, there is no metadata loss (the ACLs all remain). The full impact depends on the ACLs in use. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. if DENY ACLs were configured, the impact could include confidentiality and integrity impact depending on the ACLs configured, as the DENY ACLs might be ignored due to this vulnerability during the migration period. Affected products include: Apache Kafka.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk facto
A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requi
A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
A security vulnerability has been identified in Apache Kafka. Rated high severity (CVSS 7.5), this vulnerability is remo
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may
Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Rated medium severity (CVSS
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today