CVE-2018-17196
HIGHApache Kafka 0.11.0.0-2.1.0 - Authenticated ACL Bypass via Crafted Produce Request
Title source: llmDescription
In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed.
References (11)
Core 11
Core References
Third Party Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/109139
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/d1581fb6464c9bec8a72575c01f5097d68e2fbb230aff24622622a58%40%3Ccommits.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc27d424d0bdeaf31081c3e246db3c66e882243ae3f342dfa845e0261%40%3Ccommits.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740%40%3Ccommits.druid.apache.org%3E
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
Mailing List x_refsource_misc
https://www.mail-archive.com/dev%40kafka.apache.org/msg99277.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a%40%3Cuser.flink.apache.org%3E
Scores
CVSS v3
8.8
EPSS
0.0021
EPSS Percentile
43.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
apache/kafka
0.11.0.0 - 2.1.0
org.apache.kafka/kafka
0.11.0.0 - 2.1.1Maven
Published
Jul 11, 2019
Tracked Since
Feb 18, 2026