In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability.
I see ther Alias was corrected from CVE-2019-17196 to the correct CVE (CVE-2018-17196). But I noticed as per (2019-07-26 07:13 UTC) the cve-metadata from bugzilla XML file at https://www.redhat.com/security/data/metrics/cve-metadata-from-bugzilla.xml still contains the 2019 CVE.
Could you check if maybe some update to the file is missing?
This has been reported to the team responsible for /security/data/metrics; expect an update here soon.
Okay thank you Doran!
(In reply to Salvatore Bonaccorso from comment #2)
> I see ther Alias was corrected from CVE-2019-17196 to the correct CVE
> (CVE-2018-17196). But I noticed as per (2019-07-26 07:13 UTC) the
> cve-metadata from bugzilla XML file at
> still contains the 2019 CVE.
It is fixed now, thanks for pointing it out!
This vulnerability is out of security support scope for the following product:
* Red Hat Mobile Application Platform
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):