CVE-2017-12610

CWE-287 — Improper Authentication CWE-2906 documents6 sources

Severity

6.8MEDIUM

EPSS

0.4%

top 41.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Kafka Apache Software Foundation Apache Kafka

Timeline

PublishedJul 26

Latest updateMay 13

Description

In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.apache.kafka:kafka-clients0.10.0.0 — 0.10.2.2+1

▶NVDapache/kafka0.10.0.0 — 0.10.2.1+1

▶CVEListV5apache_software_foundation/apache_kafka0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1+1

🔴Vulnerability Details

GHSA

Improper Authentication in Apache Kafka↗2022-05-13

▶

OSV

Improper Authentication in Apache Kafka↗2022-05-13

▶

CVEList

CVE-2017-12610: In Apache Kafka 0↗2018-07-26

▶

📋Vendor Advisories

Red Hat

kafka: Clients authenticated with SASL/PLAIN or SASL/SCRAM can impersonate other users↗2018-07-26

▶

💬Community

Bugzilla

CVE-2017-12610 kafka: Clients authenticated with SASL/PLAIN or SASL/SCRAM can impersonate other users↗2018-08-02

▶