org.apache.kafka:kafka-clients@2.7.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kafka:kafka-clients package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Deserialization of Untrusted Data

org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data when there are gadgets in the classpath. The server will connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.

Note: Exploitation requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.kafka:kafka-clients to version 3.4.0 or higher.

[2.3.0,3.4.0)