Mickael Maison

**Name of the Vulnerable Software and Affected Versions** Apache Kafka Clients versions 2.3.0 through 3.7.1 **Description** The issue is related to improper privilege management in Apache Kafka Clients, allowing attackers to access arbitrary contents of the disk and environment variables. This can be exploited in applications where configurations can be specified by an untrusted party, potentially escalating from REST API access to filesystem/environment access. This flaw may be particularly undesirable in certain environments, including SaaS products. **Recommendations** To resolve the issue, users with affected applications are recommended to: - Upgrade kafka-clients to version >=3.8.0 - Set the JVM system property "org.apache.kafka.automatic.config.providers=none" For users of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config, add appropriate "allowlist.pattern" and "allowed.paths" to restrict their operation to appropriate bounds. For users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property. For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.