Apache Kafka is vulnerable to Incorrect Access Control. The vulnerability is due to an error in ACL management during ZK to KRaft mode migration, specifically when an ACL is removed while two or more other ACLs remain associated with the same resource. This condition results in Kafka treating the resource as if it had only one remaining ACL, rather than the correct number. The impact depends on the configuration of the ACLs. If only ALLOW ACLs were configured during the migration, the impact would be limited to the availability impact. If DENY ACLs were configured, the impact could include confidentiality and integrity impact depending on the ACLs configuration, as the DENY ACLs might be ignored during the migration period.
CPE | Name | Operator | Version |
---|---|---|---|
apache kafka | le | 3.6.1 | |
apache kafka | le | 3.6.1 |