org.apache.kafka:kafka-clients 3.8.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kafka:kafka-clients package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper handling of configuration data in the `sasl.jaas.config` property. An attacker can achieve arbitrary code execution by injecting a malicious configuration that causes the server to connect to an attacker-controlled LDAP server and deserialize untrusted data, leading to execution of deserialization gadget chains. Note: This is only exploitable if the attacker has access to alterConfig for a cluster resource or Kafka Connect worker and can create or modify connectors with arbitrary Kafka client SASL JAAS configuration. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.kafka:kafka-clients` to version 3.9.1 or higher.	[2.3.0,3.9.1)
H Deserialization of Untrusted Data org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `JndiLoginModule` process in the SASL authentication mechanism. An attacker can execute arbitrary code or cause a denial of service by supplying a malicious JNDI URI in the broker's configuration. Note: This is only exploitable if the attacker can connect to the Kafka cluster and has the AlterConfigs permission on the cluster resource. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.kafka:kafka-clients` to version 3.9.1 or higher.	[2.0.0,3.9.1)
H Server-side Request Forgery (SSRF) org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper handling of `sasl.oauthbearer.token.endpoint.url` and `sasl.oauthbearer.jwks.endpoint.url` configurations. An attacker can read arbitrary contents of the disk and environment variables or make requests to an unintended location by manipulating these configurations. Note: This is only exploitable if configurations can be specified by an untrusted party. How to fix Server-side Request Forgery (SSRF)? Upgrade `org.apache.kafka:kafka-clients` to version 3.9.1 or higher.	[3.1.0,3.9.1)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper handling of configuration data in the sasl.jaas.config property. An attacker can achieve arbitrary code execution by injecting a malicious configuration that causes the server to connect to an attacker-controlled LDAP server and deserialize untrusted data, leading to execution of deserialization gadget chains.

Note:

This is only exploitable if the attacker has access to alterConfig for a cluster resource or Kafka Connect worker and can create or modify connectors with arbitrary Kafka client SASL JAAS configuration.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.kafka:kafka-clients to version 3.9.1 or higher.

[2.3.0,3.9.1)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the JndiLoginModule process in the SASL authentication mechanism. An attacker can execute arbitrary code or cause a denial of service by supplying a malicious JNDI URI in the broker's configuration.

Note:

This is only exploitable if the attacker can connect to the Kafka cluster and has the AlterConfigs permission on the cluster resource.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.kafka:kafka-clients to version 3.9.1 or higher.

[2.0.0,3.9.1)

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper handling of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url configurations. An attacker can read arbitrary contents of the disk and environment variables or make requests to an unintended location by manipulating these configurations.

Note: This is only exploitable if configurations can be specified by an untrusted party.

How to fix Server-side Request Forgery (SSRF)?

Upgrade org.apache.kafka:kafka-clients to version 3.9.1 or higher.

[3.1.0,3.9.1)

org.apache.kafka:kafka-clients@3.8.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?