Apache Kafka Security Vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Kafka

CVE-2018-17196 Authenticated clients with Write permission may bypass transaction/idempotent ACL validation

In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed.

Versions affected 0.11.0.0 to 2.1.0, 0.10.2.2
Fixed versions 2.1.1 and later
Impact This issue could result in privilege escalation.
Issue announced 10 July 2019