SCA: security update for org.apache.kafka:kafka-clients (GHSA-2x2g-32r7-p4x8)

medium Tenable Cloud Security Plugin ID 409148

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache
Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes
ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides
FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the
ability to read from disk or environment variables. In applications where Apache Kafka Clients
configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read
arbitrary contents of the disk and environment variables. In particular, this flaw may be used in Apache
Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable
in certain environments, including SaaS products. This issue affects Apache Kafka Clients: from 2.3.0
through 3.5.2, 3.6.2, 3.7.0. Users with affected applications are recommended to upgrade kafka-clients to
version >=3.8.0, and set the JVM system property "org.apache.kafka.automatic.config.providers=none". Users
of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config
are also recommended to add appropriate "allowlist.pattern" and "allowed.paths" to restrict their
operation to appropriate bounds. For users of Kafka Clients or Kafka Connect in environments that trust
users with disk and environment variable access, it is not recommended to set the system property. For
users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not
recommended to set the system property. (CVE-2024-31141)

See Also

https://github.com/advisories/GHSA-2x2g-32r7-p4x8

Plugin Details

Severity: Medium

ID: 409148

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.66

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2024-31141

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.8

Threat Score: 4.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/19/2024

Vulnerability Publication Date: 11/19/2024

Reference Information

CVE: CVE-2024-31141

cwe: CWE-269