CVE-2024-31141

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Nov 19, 2024
Updated: Nov 21, 2024
CWE ID 552
CWE ID 269

Summary

CVE-2024-31141 is a vulnerability affecting Apache Kafka Clients from versions 2.3.0 through 3.5.2, 3.6.2, and 3.7.0. This issue involves the ConfigProvider plugins, which include FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider. Attackers can exploit these ConfigProviders to read arbitrary contents of the disk and environment variables when Apache Kafka Clients configurations can be specified by an untrusted party. In the context of Apache Kafka Connect, this flaw may lead to escalating from REST API access to filesystem/environment access. Users are advised to upgrade to kafka-clients version >=3.8.0 and set the JVM system property "org.apache.kafka.automatic.config.providers=none". For Kafka Connect users, it is recommended to add appropriate "allowlist.pattern" and "allowed.paths" to restrict the operation of the ConfigProviders. Users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access should not set the system property. This vulnerability does not affect Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • kafka-clients

Affected Vendors

  • Apache Software Foundation