GHSA-MCWH-C9PG-XW43 Apache Kafka Deserialization of Untrusted Data vulnerability

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs ...

Apache Kafka 安全漏洞

Apache Kafka is an open source distributed streaming platform from the Apache USA Foundation. The platform is capable of fetching real-time data for building applications that react in real-time to changes in data streams. A security vulnerability exists in Apache Kafka that stems from a...

CVE-2024-56518

Hazelcast Management Center through 6.0 allows remote code execution via a JndiLoginModule user.provider.url in a hazelcast-client XML document aka a client configuration file, which can be uploaded at the /cluster-connections URI...

kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect

A flaw was found in Apache Kafka Connect's REST API that permits configuration of SASL property by an authenticated operator, which could allow connection to a malicious LDAP server and subsequent deserialization of malicious content. This issue could allow an authenticated attacker to cause a...