Apache · Apache Kafka · CVE-2024-27309
**Name of the Vulnerable Software and Affected Versions**
Apache Kafka (affected versions not specified)
**Description**
During the migration of an Apache Kafka cluster from ZooKeeper mode to KRaft mode, ACLs may not be correctly enforced under certain conditions. Two preconditions are required to trigger the issue: the administrator removes an ACL, and the resource associated with the removed ACL still has two or more other ACLs after removal. As a result, Kafka treats the resource as if it had only one ACL, rather than the correct two or more. The impact depends on the ACLs in use, potentially affecting availability, confidentiality, and integrity if DENY ACLs are configured. The issue is resolved once the migration is completed, with no metadata loss.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.