Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-31141

Опубликовано: 19 нояб. 2024
Источник: nvd
CVSS3: 6.5
EPSS Низкий

Описание

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients.

Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.

In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products. This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0.

Users with affected applications are recommended

Ссылки

EPSS

Процентиль: 26%
0.00086
Низкий

6.5 Medium

CVSS3

Дефекты

CWE-269

Связанные уязвимости

redhat логотип

CVE-2024-31141

CVSS3: 5.3
redhat
7 месяцев назад

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products. This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0. Users with affected applications are recommended t...

github логотип

GHSA-2x2g-32r7-p4x8

CVSS3: 6.5
github
7 месяцев назад

Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider

fstec логотип

BDU:2024-10294

CVSS3: 6.5
fstec
около 1 года назад

Уязвимость компонента Automatic ConfigProvider диспетчера сообщений Apache Kafka, позволяющая нарушителю раскрыть защищаемую информацию

redos логотип

ROS-20241216-09

CVSS3: 6.5
redos
6 месяцев назад

Уязвимость apache-kafka

EPSS

Процентиль: 26%
0.00086
Низкий

6.5 Medium

CVSS3

Дефекты

CWE-269