CVE-2024-27309

CWE-863Incorrect Authorization8 documents6 sources
Severity
7.4HIGH
EPSS
0.4%
top 40.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache KafkaApache Kafka
Timeline
PublishedApr 12
Latest updateJul 15

Description

While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal. When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather tha

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

Mavenorg.apache.kafka:kafka-metadata3.5.03.6.2
NVDapache/kafka3.5.03.6.1
CVEListV5apache_software_foundation/apache_kafka3.5.03.5.2+1

🔴Vulnerability Details

4
OSV
Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode2024-04-12
GHSA
Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode2024-04-12
OSV
CVE-2024-27309: While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced2024-04-12
CVEList
Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode2024-04-12

📋Vendor Advisories

3
Oracle
Oracle Oracle Siebel CRM Risk Matrix: Event Publish and Subscribe (Apache Kafka) — CVE-2024-273092025-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Solution Designer (Apache Kafka) — CVE-2024-273092025-01-15
Red Hat
Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode2024-04-12
CVE-2024-27309 (HIGH CVSS 7.4) | While an Apache Kafka cluster is be | cvebase.io