Apache Kafka Security Vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Kafka.

CVE-2019-12399 Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value (the externalized secret variable is not the whole configuration property value), then any client can issue a request to the same Connect cluster to obtain the connector's task configurations and the response will contain the plaintext secret rather than the externalized secrets variable. Users should upgrade to 2.0.2 or higher, 2.1.2 or higher, 2.2.2 or higher, or 2.3.1 or higher where this vulnerability has been fixed.

Versions affected 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0
Fixed versions 2.0.2, 2.1.2, 2.2.2, 2.3.1 and later
Impact This issue could result in exposing externalized connector secrets.
Issue announced 13 Jan 2020

CVE-2018-17196 Authenticated clients with Write permission may bypass transaction/idempotent ACL validation

In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed.

Versions affected 0.11.0.0 to 2.1.0
Fixed versions 2.1.1 and later
Impact This issue could result in privilege escalation.
Issue announced 10 July 2019

CVE-2018-1288 Authenticated Kafka clients may interfere with data replication

Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

Versions affected 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0
Fixed versions 0.10.2.2, 0.11.0.3, 1.0.1, 1.1.0
Impact This issue could potentially lead to data loss.
Issue announced 26 July 2018

CVE-2017-12610 Authenticated Kafka clients may impersonate other users

Authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.

Versions affected 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1
Fixed versions 0.10.2.2, 0.11.0.2, 1.0.0
Impact This issue could result in privilege escalation.
Issue announced 26 July 2018