CVE-2024-36543

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://strimzi.com
https://github.com/almounah/vulnerability-research/tree/main/CVE-2024-36543

Configurations

No configuration.

History

03 Jul 2024, 02:03

Type	Values Removed	Values Added
CWE		CWE-400
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

20 Jun 2024, 12:44

Type	Values Removed	Values Added
Summary		(es) El control de acceso incorrecto en la API REST de Kafka Connect en el proyecto STRIMZI 0.41.0 y versiones anteriores permite a un atacante denegar el servicio de Kafka Mirroring y potencialmente reflejar el contenido de los temas en su clúster de Kafka a través de un conector malicioso (evitando Kafka ACL si existe), y potencialmente robar credenciales SASL de Kafka consultando la API REST de MirrorMaker Kafka.

17 Jun 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-17 19:15

Updated : 2024-07-03 02:03

NVD link : CVE-2024-36543

Mitre link : CVE-2024-36543

CVE.ORG link : CVE-2024-36543

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

9.8 /10