Platform
java
Component
org.apache.kafka:kafka-clients
Fixed in
3.5.3
3.6.3
3.7.1
3.7.1
CVE-2024-31141 is a Privilege Escalation vulnerability affecting Apache Kafka Clients versions up to 3.7.0. This vulnerability arises from the improper handling of configuration data, specifically when using ConfigProvider plugins like FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider. Attackers can leverage this to manipulate Kafka's behavior if configurations are sourced from untrusted parties. A fix is available in version 3.7.1.
The core of this vulnerability lies in Kafka Clients' ability to accept configuration data from various sources, including disk and environment variables through ConfigProviders. If an attacker can influence these configuration sources, they can potentially modify Kafka's behavior, leading to privilege escalation. This could involve altering security settings, granting unauthorized access, or disrupting Kafka's operations. The impact is particularly severe in environments where Kafka configurations are not strictly controlled and are exposed to external influence, such as in cloud deployments or shared hosting scenarios. While the specific attack vectors are still being explored, the potential for unauthorized configuration changes presents a significant risk.
CVE-2024-31141 was publicly disclosed on November 19, 2024. Its CVSS score of 6.5 (MEDIUM) indicates a moderate risk. Currently, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. The potential for exploitation hinges on the attacker's ability to influence Kafka configuration sources, which may be easier in certain deployment environments.
Exploit Status
EPSS
0.11% (30% percentile)
CVSS Vector
The primary mitigation for CVE-2024-31141 is to upgrade to Apache Kafka Clients version 3.7.1 or later. Prior to upgrading, carefully review any custom configuration scripts or processes that rely on FileConfigProvider, DirectoryConfigProvider, or EnvVarConfigProvider to ensure they are not vulnerable to manipulation. If an immediate upgrade is not feasible, consider restricting access to configuration files and environment variables to trusted users and processes only. Implement strict input validation on any configuration data sourced from external parties. Monitor Kafka logs for any unusual configuration changes or attempts to access sensitive configuration files. After upgrading, confirm the fix by verifying that configuration files are only accessible by authorized users and processes.
Update the kafka-clients library to version 3.8.0 or higher. Additionally, set the JVM system property 'org.apache.kafka.automatic.config.providers' to 'none' to disable automatic ConfigProviders. If using Kafka Connect, configure 'allowlist.pattern' and 'allowed.paths' to restrict access to files and environment variables.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-31141 is a vulnerability in Apache Kafka Clients ≤3.7.0 that allows attackers to manipulate Kafka's behavior by influencing configuration data sourced from untrusted parties via ConfigProviders.
You are affected if you are using Apache Kafka Clients versions 3.7.0 or earlier and your Kafka configurations are sourced from potentially untrusted locations like disk or environment variables.
Upgrade to Apache Kafka Clients version 3.7.1 or later. Prior to upgrading, review and secure your configuration management practices to prevent unauthorized configuration changes.
As of November 2024, there are no publicly known active exploits for CVE-2024-31141, but the potential for exploitation exists.
Refer to the Apache Kafka security page for the latest information and advisory regarding CVE-2024-31141: https://kafka.apache.org/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.