In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability.
External References: https://www.mail-archive.com/dev@kafka.apache.org/msg99277.html
Hi I see ther Alias was corrected from CVE-2019-17196 to the correct CVE (CVE-2018-17196). But I noticed as per (2019-07-26 07:13 UTC) the cve-metadata from bugzilla XML file at https://www.redhat.com/security/data/metrics/cve-metadata-from-bugzilla.xml still contains the 2019 CVE. Could you check if maybe some update to the file is missing? Regards, Salvatore
Thanks Salvatore, This has been reported to the team responsible for /security/data/metrics; expect an update here soon.
Okay thank you Doran!
(In reply to Salvatore Bonaccorso from comment #2) > I see ther Alias was corrected from CVE-2019-17196 to the correct CVE > (CVE-2018-17196). But I noticed as per (2019-07-26 07:13 UTC) the > cve-metadata from bugzilla XML file at > https://www.redhat.com/security/data/metrics/cve-metadata-from-bugzilla.xml > still contains the 2019 CVE. It is fixed now, thanks for pointing it out!
This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-17196