CVE-2018-17196

CWE-20 — Improper Input Validation8 documents7 sources

Severity

8.8HIGH

EPSS

0.4%

top 40.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Kafka

Timeline

PublishedJul 11

Latest updateMay 24

Description

In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.kafka:kafka0.11.0.0 — 2.1.1

▶NVDapache/kafka0.11.0.0 — 2.1.0

▶CVEListV5apache/kafka0.11.0.0 to 2.1.0

🔴Vulnerability Details

OSV

Improper Input Validation in Apache Kafka↗2022-05-24

▶

GHSA

Improper Input Validation in Apache Kafka↗2022-05-24

▶

CVEList

CVE-2018-17196: In Apache Kafka versions between 0↗2019-07-11

▶

📋Vendor Advisories

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: Core (Apache Kafka) — CVE-2018-17196↗2020-10-15

▶

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: Web Access (kafka client) — CVE-2018-17196↗2020-07-15

▶

Red Hat

kafka: potential to bypass transaction/idempotent ACL checks↗2019-07-11

▶

💬Community

Bugzilla

CVE-2018-17196 kafka: potential to bypass transaction/idempotent ACL checks↗2019-07-23

▶