Klaw
Monthly
Improper access control in Klaw, the Aiven-Open self-service Apache Kafka governance portal, exposes user password hashes to unauthenticated remote attackers in all versions prior to 2.10.4. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network without any authentication or user interaction, making it trivially reachable in internet-exposed deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the unauthenticated network vector lowers the bar significantly for opportunistic attackers seeking credential material.
Klaw versions before 2.10.2 contain an improper access control flaw in the /resetMemoryCache endpoint that allows authenticated attackers to wipe cached metadata, configurations, and cluster data across any tenant without proper authorization. This vulnerability affects Apache Kafka deployments using Klaw for topic governance and could disrupt Kafka cluster management and visibility. A patch is available in version 2.10.2 and later.
Improper access control in Klaw, the Aiven-Open self-service Apache Kafka governance portal, exposes user password hashes to unauthenticated remote attackers in all versions prior to 2.10.4. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network without any authentication or user interaction, making it trivially reachable in internet-exposed deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the unauthenticated network vector lowers the bar significantly for opportunistic attackers seeking credential material.
Klaw versions before 2.10.2 contain an improper access control flaw in the /resetMemoryCache endpoint that allows authenticated attackers to wipe cached metadata, configurations, and cluster data across any tenant without proper authorization. This vulnerability affects Apache Kafka deployments using Klaw for topic governance and could disrupt Kafka cluster management and visibility. A patch is available in version 2.10.2 and later.