CVE-2024-31141

CWE-269 — Improper Privilege Management CWE-552 — Files Accessible to External Parties CWE-737 documents6 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 63.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Kafka Clients Apache Kafka

Timeline

PublishedNov 19

Latest updateJul 15

Description

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables. In applications where Apache Kafka Clien…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.kafka:kafka-clients2.3.0 — 3.7.1

▶CVEListV5apache_software_foundation/apache_kafka_clients2.3.0 — 3.5.2+2

▶NVDapache/kafka2.3.0 — 3.5.2+2

🔴Vulnerability Details

OSV

Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider↗2024-11-19

▶

CVEList

Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider↗2024-11-19

▶

GHSA

Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider↗2024-11-19

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Third Party (Apache Kafka) — CVE-2024-31141↗2025-07-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Microservices (Apache Kafka) — CVE-2024-31141↗2025-04-15

▶

Red Hat

kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider↗2024-11-19

▶