CVE-2024-36543: STRIMZI incorrect access control

June 17, 2024 (updated June 18, 2024)

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics’ content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.

References

github.com/advisories/GHSA-q2xx-f8r3-9mg5
github.com/almounah/vulnerability-research/tree/main/CVE-2024-36543
github.com/strimzi/strimzi-kafka-operator
nvd.nist.gov/vuln/detail/CVE-2024-36543

Detect and mitigate CVE-2024-36543 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →