cnvd - cnvd-2024-49155

cnvd-2024-49155

Vulnerability from cnvd

Title: Apache Kafka授权问题漏洞

Description:

Apache Kafka是美国阿帕奇（Apache）基金会的一套开源的分布式流媒体平台。该平台能够获取实时数据，用于构建对数据流的变化进行实时反应的应用程序。

Apache Kafka 2.3.0至3.5.2版本、3.6.2版本和3.7.0版本存在授权问题漏洞，该漏洞源于不正当的权限管理，攻击者可利用该漏洞通过ConfigProviders读取磁盘和环境变量中的任意内容。

Severity: 中

Patch Name: Apache Kafka授权问题漏洞的补丁

Patch Description:

Apache Kafka 2.3.0至3.5.2版本、3.6.2版本和3.7.0版本存在授权问题漏洞，该漏洞源于不正当的权限管理，攻击者可利用该漏洞通过ConfigProviders读取磁盘和环境变量中的任意内容。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-31141

Impacted products

Name
['Apache Kafka >=2.3.0，<=3.5.2', 'Apache Kafka 3.6.2', 'Apache Kafka 3.7.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-31141",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141"
    }
  },
  "description": "Apache Kafka\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5206\u5e03\u5f0f\u6d41\u5a92\u4f53\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u80fd\u591f\u83b7\u53d6\u5b9e\u65f6\u6570\u636e\uff0c\u7528\u4e8e\u6784\u5efa\u5bf9\u6570\u636e\u6d41\u7684\u53d8\u5316\u8fdb\u884c\u5b9e\u65f6\u53cd\u5e94\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\n\nApache Kafka 2.3.0\u81f33.5.2\u7248\u672c\u30013.6.2\u7248\u672c\u548c3.7.0\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e0d\u6b63\u5f53\u7684\u6743\u9650\u7ba1\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7ConfigProviders\u8bfb\u53d6\u78c1\u76d8\u548c\u73af\u5883\u53d8\u91cf\u4e2d\u7684\u4efb\u610f\u5185\u5bb9\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-49155",
  "openTime": "2024-12-24",
  "patchDescription": "Apache Kafka\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5206\u5e03\u5f0f\u6d41\u5a92\u4f53\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u80fd\u591f\u83b7\u53d6\u5b9e\u65f6\u6570\u636e\uff0c\u7528\u4e8e\u6784\u5efa\u5bf9\u6570\u636e\u6d41\u7684\u53d8\u5316\u8fdb\u884c\u5b9e\u65f6\u53cd\u5e94\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nApache Kafka 2.3.0\u81f33.5.2\u7248\u672c\u30013.6.2\u7248\u672c\u548c3.7.0\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e0d\u6b63\u5f53\u7684\u6743\u9650\u7ba1\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7ConfigProviders\u8bfb\u53d6\u78c1\u76d8\u548c\u73af\u5883\u53d8\u91cf\u4e2d\u7684\u4efb\u610f\u5185\u5bb9\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Kafka\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Kafka \u003e=2.3.0\uff0c\u003c=3.5.2",
      "Apache Kafka 3.6.2",
      "Apache Kafka 3.7.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141",
  "serverity": "\u4e2d",
  "submitTime": "2024-11-21",
  "title": "Apache Kafka\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2024-31141 (GCVE-0-2024-31141)

Vulnerability from cvelistv5

Published

2024-11-19 08:40

Modified

2025-01-31 15:02

Severity ?

CWE

CWE-552 - Files or Directories Accessible to External Parties
CWE-269 - Improper Privilege Management

Summary

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products. This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0. Users with affected applications are recommended to upgrade kafka-clients to version >=3.8.0, and set the JVM system property "org.apache.kafka.automatic.config.providers=none". Users of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config are also recommended to add appropriate "allowlist.pattern" and "allowed.paths" to restrict their operation to appropriate bounds. For users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property. For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.

References

▼	URL	Tags
	https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Kafka Clients	Version: 2.3.0 ≤ 3.5.2 Version: 3.6.0 ≤ 3.6.2 Version: 3.7.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-31T15:02:44.982Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/11/18/5"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250131-0001/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-31141",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-19T14:14:13.118831Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-19T14:15:34.254Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.kafka:kafka-clients",
          "product": "Apache Kafka Clients",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.5.2",
              "status": "affected",
              "version": "2.3.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "3.6.2",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "3.7.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Greg Harris"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Mickael Maison"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Chris Egerton"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients.\u003cbr\u003e\u003cbr\u003eApache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables.\u003cbr\u003eIn applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.\u003cbr\u003e\u003cbr\u003eIn particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers with affected applications are recommended to upgrade kafka-clients to version \u0026gt;=3.8.0, and set the JVM system property \"org.apache.kafka.automatic.config.providers=none\".\u003cbr\u003eUsers of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config are also recommended to add appropriate \"allowlist.pattern\" and \"allowed.paths\" to restrict their operation to appropriate bounds.\u003cbr\u003e\u003c/p\u003eFor users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property.\u003cbr\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eFor users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.\u003cbr\u003e\u003c/span\u003e"
            }
          ],
          "value": "Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients.\n\nApache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables.\nIn applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.\n\nIn particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products.\nThis issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0.\n\n\nUsers with affected applications are recommended to upgrade kafka-clients to version \u003e=3.8.0, and set the JVM system property \"org.apache.kafka.automatic.config.providers=none\".\nUsers of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config are also recommended to add appropriate \"allowlist.pattern\" and \"allowed.paths\" to restrict their operation to appropriate bounds.\n\n\nFor users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property.\nFor users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-552",
              "description": "CWE-552 Files or Directories Accessible to External Parties",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-19T08:40:50.695Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-31141",
    "datePublished": "2024-11-19T08:40:50.695Z",
    "dateReserved": "2024-03-28T16:57:34.016Z",
    "dateUpdated": "2025-01-31T15:02:44.982Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted