CVE-2024-36543

CRITICAL

STRIMZI Project <= 0.41.0 - Unauthenticated Uncontrolled Resource Consumption via MirrorMaker Kafka REST API

Title source: llm

Description

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.

References (2)

Core 2

Core References

Various Sources

http://strimzi.com

Various Sources

https://github.com/almounah/vulnerability-research/tree/main/CVE-2024-36543

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0053

EPSS Percentile 40.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-400

Status published

Products (1)

io.strimzi/strimzi 0Maven

Published Jun 17, 2024

Tracked Since Feb 18, 2026