CVE-2024-31141
CVSS 3.1 Score 6.5 of 10 (medium)
Details
Summary
CVE-2024-31141 is a vulnerability affecting Apache Kafka Clients from versions 2.3.0 through 3.5.2, 3.6.2, and 3.7.0. This issue involves the ConfigProvider plugins, which include FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider. Attackers can exploit these ConfigProviders to read arbitrary contents of the disk and environment variables when Apache Kafka Clients configurations can be specified by an untrusted party. In the context of Apache Kafka Connect, this flaw may lead to escalating from REST API access to filesystem/environment access. Users are advised to upgrade to kafka-clients version >=3.8.0 and set the JVM system property "org.apache.kafka.automatic.config.providers=none". For Kafka Connect users, it is recommended to add appropriate "allowlist.pattern" and "allowed.paths" to restrict the operation of the ConfigProviders. Users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access should not set the system property. This vulnerability does not affect Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- kafka-clients
Affected Vendors
- Apache Software Foundation