CVE-2024-36543

Published: Jun 17, 2024Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (4)

http://strimzi.com

Source: cve@mitre.org

https://github.com/almounah/vulnerability-research/tree/main/CVE-2024-36543

Source: cve@mitre.org

http://strimzi.com

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/almounah/vulnerability-research/tree/main/CVE-2024-36543

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.