Lucene search

GitHub Advisory DatabaseGHSA-Q2XX-F8R3-9MG5

HistoryJun 17, 2024 - 9:31 p.m.

STRIMZI incorrect access control

2024-06-1721:31:10

CWE-306

CWE-400

GitHub Advisory Database

github.com

access control

strimzi

data theft

denial of service

kafka mirroring

kafka acl

sasl credentials

rest api

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

JSON

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics’ content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.

Affected configurations

Vulners

Node

io.strimzistrimziRange≤0.41.0

VendorProductVersionCPE
io.strimzistrimzi*cpe:2.3:a:io.strimzi:strimzi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
io.strimzi	strimzi	*	cpe:2.3:a:io.strimzi:strimzi::::::::

References

strimzi.com

github.com/advisories/GHSA-q2xx-f8r3-9mg5

github.com/almounah/vulnerability-research/tree/main/CVE-2024-36543

nvd.nist.gov/vuln/detail/CVE-2024-36543

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

JSON

Related for GHSA-Q2XX-F8R3-9MG5