Vulnerability Directory | CVE-2024-31141 | Spring

Overview

Apache Kafka is a distributed streaming platform designed for building real-time data pipelines and event-driven applications at enterprise scale. It offers a high-throughput, fault-tolerant messaging system that enables applications to publish, store, and process continuous streams of records with low latency.

A security vulnerability (CVE-2024-31141) has been identified in Apache Kafka, affecting kafka-clients and posing particular risk in Kafka Connect when configuration inputs may come from untrusted sources. Because Kafka Clients support file, directory, and environment-variable ConfigProviders, an attacker able to supply connector or client configuration can abuse these providers to read arbitrary filesystem data or environment variables, potentially escalating limited REST API access into sensitive data exposure.

Per OWASP CWE-552 (Files or Directories Accessible to External Parties) arises when applications expose files or directories to users who should not have access, often due to improper path handling, overly broad read permissions, or failure to validate which resources a requester is allowed to retrieve. Attackers can exploit this by manipulating file paths or leveraging unintended access points to read sensitive information such as credentials, configuration files, or internal system data.

Per OWASP CWE-269 (Improper Privilege Management) occurs when an application fails to correctly enforce or separate privilege levels, allowing users or components to perform actions beyond their authorized permissions. This can include incorrect role checks, flawed elevation or delegation logic, or missing restrictions on operations reserved for higher-privileged entities. Attackers may exploit such weaknesses to escalate privileges, modify protected resources, or execute operations intended only for administrators or trusted services.

This issue affects multiple versions of Apache Kafka kafka-clients.

‍

Details

Module Info

Product: Apache Kafka
Affected packages: kafka-clients
Affected versions: >=2.3.0 <=3.3.2 ; >=3.6.0 <=3.6.2 ; =3.7.0
GitHub repository: https://github.com/apache/kafka/
Published packages: https://central.sonatype.com/artifact/org.apache.kafka/kafka-clients
Package manager: Maven
Fixed In: NES for Spring Boot 2.7

‍

Vulnerability Info

This medium-severity vulnerability is found in the kafka-client package in all published versions of Apache Kafka.

‍

Apache Kafka Clients accept configuration data for customizing behavior, and include ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables.

In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.

‍

In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products.

‍

Steps To Reproduce

Use a ConfigProvider that can read from disk or from environment variables and then expose those informations.

‍

Proof Of Concept

If an attacker can supply configuration values that Kafka will resolve using ConfigProviders, Kafka will instantiate any provider class referenced by that config, and allow it to read from the local filesystem or environment; then the attacker can potentially cause sensitive local data to be pulled into configuration values and exposed up at the application layer (e.g., via logs, metrics, or APIs that echo back config-derived values).

‍

Mitigation

Only recent versions of Apache Kafka are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations: