PT-2024-8692 · Apache+1 · Apache Kafka Clients+1
Chris Egerton
+2
·
Published
2024-03-28
·
Updated
2025-07-15
·
CVE-2024-31141
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Kafka Clients versions 2.3.0 through 3.7.1
Description
The issue is related to improper privilege management in Apache Kafka Clients, allowing attackers to access arbitrary contents of the disk and environment variables. This can be exploited in applications where configurations can be specified by an untrusted party, potentially escalating from REST API access to filesystem/environment access. This flaw may be particularly undesirable in certain environments, including SaaS products.
Recommendations
To resolve the issue, users with affected applications are recommended to:
- Upgrade kafka-clients to version >=3.8.0
- Set the JVM system property "org.apache.kafka.automatic.config.providers=none" For users of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config, add appropriate "allowlist.pattern" and "allowed.paths" to restrict their operation to appropriate bounds. For users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property. For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.
Fix
Improper Privilege Management
Files Accessible to External Parties
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Kafka Clients
Red Os