Lucene search
K
ApacheKafka

16 matches found

CVE
CVE
added 2024/12/18 1:38 p.m.571 views

CVE-2024-56128

CVE-2024-56128 affects Apache Kafka SCRAM authentication. Root cause: SCRAM server nonce verification against the server’s first message was not performed per RFC 5802, enabling plaintext-snooping scenarios if SCRAM is used over non-TLS. Impact: exploitation requires access to plaintext SCRAM exc...

5.3CVSS6.8AI score0.0078EPSS
CVE
CVE
added 2020/11/28 12:0 a.m.519 views

CVE-2020-27218

CVE-2020-27218 affects Eclipse Jetty 9.4.x (9.4.0.RC0–9.4.34.v20201102), 10.x (10.0.0.alpha0–beta2), and 11.x (11.0.0.alpha0–beta2). When GZIP request body inflation is enabled and requests from different clients are multiplexed on one connection, an attacker who can send a body that is received ...

5.8CVSS5.1AI score0.08113EPSS
CVE
CVE
added 2024/11/19 8:40 a.m.451 views

CVE-2024-31141

CVE-2024-31141 affects Apache Kafka Clients (2.3.0–3.7.0, including 3.5.2 and 3.6.2) with ConfigProvider plugins that read from disk or environment variables via FileConfigProvider/DirectoryConfigProvider/EnvVarConfigProvider. The root cause is improper privilege management that allows untrusted ...

6.5CVSS6.1AI score0.01129EPSS
CVE
CVE
added 2021/09/22 9:5 a.m.423 views

CVE-2021-38153

CVE-2021-38153 : Apache Kafka components validate passwords/keys with Arrays.equals, enabling timing attacks that can aid brute-force attempts. Affected releases include Kafka 2.0.0–2.8.0. The issue is fixed in 2.8.1+ and in 3.0.0+. Remediation: upgrade to 2.8.1+ or 3.0.0+ where the vulnerability...

5.9CVSS6.2AI score0.05773EPSS
CVE
CVE
added 2025/06/10 7:55 a.m.362 views

CVE-2025-27817

CVE-2025-27817 : An arbitrary file read and SSRF flaw in the Apache Kafka Client (affecting Kafka Connect and related clients) allows untrusted configuration of SASL/OAUTHBEARER endpoint URLs to read local files or reach unintended URLs. Root cause: endpoints sasl.oauthbearer.token.endpoint.url a...

7.5CVSS6.9AI score0.62368EPSS
In wildWeb
CVE
CVE
added 2024/04/12 6:58 a.m.337 views

CVE-2024-27309

CVE-2024-27309 describes a migration-time vulnerability in Apache Kafka when moving from ZooKeeper mode to KRaft mode. Two preconditions trigger the issue: (1) an ACL is removed, and (2) the resource still has two or more other ACLs after the removal. In that scenario Kafka may treat the resource...

7.4CVSS6.9AI score0.01115EPSS
CVE
CVE
added 2022/09/20 8:35 a.m.308 views

CVE-2022-34917

Apache Kafka (CVE-2022-34917) is vulnerable to denial of service due to a memory allocation issue on brokers triggered by malicious unauthenticated clients. Affected releases start from 2.8.0 onward, with scenarios including clusters without authentication, with SASL, or with TLS (TLS requires su...

7.5CVSS7.3AI score0.01217EPSS
CVE
CVE
added 2019/07/11 8:37 p.m.268 views

CVE-2018-17196

CVE-2018-17196 (Apache Kafka) : A vulnerability in Kafka versions 0.11.0.0–2.1.0 allows a remote authenticated attacker to bypass transaction/idempotent ACL validation by crafting a Produce request. The issue stems from improper input validation, requiring authenticated clients with Write permiss...

8.8CVSS8.3AI score0.05479EPSS
CVE
CVE
added 2026/06/02 8:56 a.m.207 views

CVE-2026-41115

Summary: CVE-2026-41115 describes an improper authorization issue in Apache Kafka related to the CONSUMER_GROUP_DESCRIBE API. The vulnerability discussion notes a discrepancy between ACLs and documented permissions, but states that the correct permission for the API is DESCRIBE GROUP and that the...

4.3CVSS5.8AI score0.00288EPSS
CVE
CVE
added 2025/06/10 7:52 a.m.193 views

CVE-2025-27818

Summary of CVE-2025-27818 (Apache Kafka): The issue involves an authenticated operator who, via alterConfig on a cluster resource (or Kafka Connect worker) and by modifying connector configs through the REST API, can set sasl.jaas.config on Kafka clients to an LDAP/JndiLoginModule path (e.g., com...

8.8CVSS7.2AI score0.00881EPSS
CVE
CVE
added 2020/01/14 2:28 p.m.156 views

CVE-2019-12399

CVE-2019-12399 affects Apache Kafka Connect: when Connect workers are configured with config providers and a connector uses an externalized secret variable within a substring of a configuration value, an attacker can request a cluster’s task configuration and receive the plaintext secret instead ...

7.5CVSS7.3AI score0.03915EPSS
CVE
CVE
added 2025/06/10 7:54 a.m.139 views

CVE-2025-27819

CVE-2025-27819 describes a Kafka vulnerability enabling RCE/Denial of Service via SASL JAAS JndiLoginModule configuration, affecting Kafka Connect API and Apache Kafka brokers. Exploitation requires network access to the cluster and the AlterConfigs permission on the cluster resource. The root ca...

7.5CVSS6.8AI score0.00871EPSS
CVE
CVE
added 2018/07/26 2:0 p.m.111 views

CVE-2018-1288

CVE-2018-1288 affects Apache Kafka across multiple 0.9.x–1.0.0 release lines; authenticated users can issue a fetch request that performs a broker-reserved action, potentially causing data loss during replication. Public documentation here documents the issue and confirms fixes in later Kafka bui...

5.5CVSS5.5AI score0.04801EPSS
CVE
CVE
added 2018/07/26 2:0 p.m.105 views

CVE-2017-12610

CVE-2017-12610 affects Apache Kafka versions 0.10.0.0–0.10.2.1 and 0.11.0.0–0.11.0.1. The issue allows an authenticated Kafka client to impersonate other users by sending a manually crafted protocol message when SASL/PLAIN or SASL/SCRAM is used against the built-in servers. The vulnerability can ...

6.8CVSS6.6AI score0.02985EPSS
CVE
CVE
added 2026/04/20 1:20 p.m.80 views

CVE-2026-33558

CVE-2026-33558 affects Apache Kafka: the NetworkClient logs sensitive information at DEBUG level, exposing full requests/responses for certain APIs (AlterConfigsRequest, AlterUserScramCredentialsRequest, ExpireDelegationTokenRequest, IncrementalAlterConfigsRequest, RenewDelegationTokenRequest, Sa...

5.3CVSS5.7AI score0.00535EPSS
CVE
CVE
added 2026/04/20 1:28 p.m.41 views

CVE-2026-33557

CVE-2026-33557 affects Apache Kafka where the broker’s default oauthbearer JWT validator (DefaultJwtValidator) accepts any JWT without validating signature, issuer, or audience. An attacker can generate a token from any issuer with a chosen preferred_username, and the broker will accept it. Techn...

9.1CVSS5.7AI score0.00581EPSS