Vulnerability in Apache Kafka
CVE-2018-17196
In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are abl…
EPSS: 0.002 (43.3th percentile) — read the EPSS interpretation.
Affected products
- Apache Kafka — versions 0.11.0.0 to 2.1.0
Public proof-of-concept exploits
References
- 109139 (vdb-entry, x_refsource_BID)
- [kafka-commits] 20190802 [kafka-site] branch asf-site updated: Add CVE-2018-17196, fix some links. (#223) (mailing-list, x_refsource_MLIST)
- [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities (mailing-list, x_refsource_MLIST)
- [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities (mailing-list, x_refsource_MLIST)
- [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities (mailing-list, x_refsource_MLIST)
- [kafka-commits] 20200115 [kafka-site] branch asf-site updated: Add CVE-2019-12399 (#250) (mailing-list, x_refsource_MLIST)
- [druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization (mailing-list, x_refsource_MLIST)
- www.oracle.com/security-alerts/cpujul2020.html (x_refsource_MISC)
- www.mail-archive.com/dev@kafka.apache.org/msg99277.html (x_refsource_MISC)
- www.oracle.com/security-alerts/cpuoct2020.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2018-17196?
- CVE-2018-17196 is a vulnerability in Apache Kafka. Published 2019-07-11.
- Is CVE-2018-17196 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.