CVE-2024-31141: 
Java vulnerability analysis and mitigation

Apache Kafka Clients versions from 2.3.0 through 3.5.2, 3.6.2, and 3.7.0 are affected by a vulnerability (CVE-2024-31141) related to improper privilege management and file access control. The vulnerability exists in how Apache Kafka Clients handle configuration data through ConfigProvider plugins, specifically in FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations (OSS Security, Security Online).

The vulnerability stems from Apache Kafka Clients' configuration data handling mechanism, which includes ConfigProvider plugins for configuration manipulation. The implementation allows these providers to read from disk or environment variables. When Apache Kafka Clients configurations can be specified by untrusted parties, the ConfigProviders can be exploited to read arbitrary contents from the disk and environment variables. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (OSS Security).

The primary impact of this vulnerability is the potential unauthorized access to sensitive information. In Apache Kafka Connect environments, attackers can escalate from REST API access to filesystem/environment access, which is particularly concerning in SaaS product environments. This could lead to the exposure of sensitive files and environment variables (Security Online).

Users are recommended to upgrade kafka-clients to version 3.8.0 or higher and set the JVM system property 'org.apache.kafka.automatic.config.providers=none'. For Kafka Connect users with specific ConfigProvider implementations, it is recommended to implement 'allowlist.pattern' and 'allowed.paths' to restrict access. However, users of Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools should not set the system property (OSS Security).