CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56128 – Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption
https://notcve.org/view.php?id=CVE-2024-56128
18 Dec 2024 — Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. Impact: Th... • https://datatracker.ietf.org/doc/html/rfc5802 • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27309 – Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode
https://notcve.org/view.php?id=CVE-2024-27309
12 Apr 2024 — While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal. When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or m... • http://www.openwall.com/lists/oss-security/2024/04/12/3 • CWE-863: Incorrect Authorization •