PT-2018-5434 · Apache · Apache Kafka

Publicado

2018-07-26

·

Atualizado

2022-05-13

·

CVE-2017-12610

CVSS v3.1

6.8

Média

VetorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions: Apache Kafka versions 0.10.0.0 through 0.10.2.1 Apache Kafka versions 0.11.0.0 through 0.11.0.1
Description: The issue allows authenticated Kafka clients to use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.
Recommendations: For Apache Kafka versions 0.10.0.0 through 0.10.2.1, update to a version outside of this range to resolve the issue. For Apache Kafka versions 0.11.0.0 through 0.11.0.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the SASL/PLAIN and SASL/SCRAM authentication mechanisms until a patch is available.

Correção

Improper Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-287

Identificadores relacionados

CVE-2017-12610
GHSA-XM78-4M3G-7WM7

Produtos afetados

Apache Kafka