org.apache.kafka:kafka-clients 3.4.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kafka:kafka-clients package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper handling of configuration data in the `sasl.jaas.config` property. An attacker can achieve arbitrary code execution by injecting a malicious configuration that causes the server to connect to an attacker-controlled LDAP server and deserialize untrusted data, leading to execution of deserialization gadget chains. Note: This is only exploitable if the attacker has access to alterConfig for a cluster resource or Kafka Connect worker and can create or modify connectors with arbitrary Kafka client SASL JAAS configuration. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.kafka:kafka-clients` to version 3.9.1 or higher.	[2.3.0,3.9.1)
H Deserialization of Untrusted Data org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `JndiLoginModule` process in the SASL authentication mechanism. An attacker can execute arbitrary code or cause a denial of service by supplying a malicious JNDI URI in the broker's configuration. Note: This is only exploitable if the attacker can connect to the Kafka cluster and has the AlterConfigs permission on the cluster resource. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.kafka:kafka-clients` to version 3.9.1 or higher.	[2.0.0,3.9.1)
H Server-side Request Forgery (SSRF) org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper handling of `sasl.oauthbearer.token.endpoint.url` and `sasl.oauthbearer.jwks.endpoint.url` configurations. An attacker can read arbitrary contents of the disk and environment variables or make requests to an unintended location by manipulating these configurations. Note: This is only exploitable if configurations can be specified by an untrusted party. How to fix Server-side Request Forgery (SSRF)? Upgrade `org.apache.kafka:kafka-clients` to version 3.9.1 or higher.	[3.1.0,3.9.1)
H Incorrect Implementation of Authentication Algorithm org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur. Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm in the form of nonce verification that fails to comply with RFC 5802 in the SCRAM implementation. If TLS is not in use for SCRAM exchanges - which is an insecure configuration in its own right - an attacker can intercept and replay the authentication messages. Configurations with `SASL_PLAINTEXT` set for listeners are vulnerable. How to fix Incorrect Implementation of Authentication Algorithm? Upgrade `org.apache.kafka:kafka-clients` to version 3.7.2, 3.8.1 or higher.	[0.10.2.0,3.7.2)[3.8.0,3.8.1)
M Files or Directories Accessible to External Parties org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur. Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties through `ConfigProviders` interface, including the `FileConfigProvider`, `DirectoryConfigProvider`, and `EnvVarConfigProvider` class objects, which allows attackers to read arbitrary contents of the disk and environment variables. Note: Users should upgrade to the fixed version, and it is recommended that the JVM system property be set to `org.apache.kafka.automatic.config.providers=none`. Users of Kafka Connect with one of the above ConfigProvider implementations specified in their worker config are also recommended to add appropriate `allowlist.pattern` and `allowed.paths` to restrict their operation to appropriate bounds. How to fix Files or Directories Accessible to External Parties? Upgrade `org.apache.kafka:kafka-clients` to version 3.8.0 or higher.	[2.3.0,3.8.0)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper handling of configuration data in the sasl.jaas.config property. An attacker can achieve arbitrary code execution by injecting a malicious configuration that causes the server to connect to an attacker-controlled LDAP server and deserialize untrusted data, leading to execution of deserialization gadget chains.

Note:

This is only exploitable if the attacker has access to alterConfig for a cluster resource or Kafka Connect worker and can create or modify connectors with arbitrary Kafka client SASL JAAS configuration.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.kafka:kafka-clients to version 3.9.1 or higher.

[2.3.0,3.9.1)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the JndiLoginModule process in the SASL authentication mechanism. An attacker can execute arbitrary code or cause a denial of service by supplying a malicious JNDI URI in the broker's configuration.

Note:

This is only exploitable if the attacker can connect to the Kafka cluster and has the AlterConfigs permission on the cluster resource.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.kafka:kafka-clients to version 3.9.1 or higher.

[2.0.0,3.9.1)

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper handling of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url configurations. An attacker can read arbitrary contents of the disk and environment variables or make requests to an unintended location by manipulating these configurations.

Note: This is only exploitable if configurations can be specified by an untrusted party.

How to fix Server-side Request Forgery (SSRF)?

Upgrade org.apache.kafka:kafka-clients to version 3.9.1 or higher.

[3.1.0,3.9.1)

Incorrect Implementation of Authentication Algorithm

Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm in the form of nonce verification that fails to comply with RFC 5802 in the SCRAM implementation. If TLS is not in use for SCRAM exchanges - which is an insecure configuration in its own right - an attacker can intercept and replay the authentication messages.

Configurations with SASL_PLAINTEXT set for listeners are vulnerable.

How to fix Incorrect Implementation of Authentication Algorithm?

Upgrade org.apache.kafka:kafka-clients to version 3.7.2, 3.8.1 or higher.

[0.10.2.0,3.7.2)[3.8.0,3.8.1)

Files or Directories Accessible to External Parties

Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties through ConfigProviders interface, including the FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider class objects, which allows attackers to read arbitrary contents of the disk and environment variables.

Note:

Users should upgrade to the fixed version, and it is recommended that the JVM system property be set to org.apache.kafka.automatic.config.providers=none.
Users of Kafka Connect with one of the above ConfigProvider implementations specified in their worker config are also recommended to add appropriate allowlist.pattern and allowed.paths to restrict their operation to appropriate bounds.

How to fix Files or Directories Accessible to External Parties?

Upgrade org.apache.kafka:kafka-clients to version 3.8.0 or higher.

[2.3.0,3.8.0)

org.apache.kafka:kafka-clients@3.4.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?