8.8

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2018-17196

GHSA ID

GHSA-47w3-66wq-cpxg

EPSS Score

0.45951%

CWE

CWE-20

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-17196

CVE-2018-17196: Improper Input Validation in Apache Kafka

In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2018-17196

CVE-2018-17196:

8.8

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2018-17196

GHSA ID

GHSA-47w3-66wq-cpxg

EPSS Score

0.45951%

CWE

CWE-20

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.kafka:kafka	maven	>= 0.11.0.0, <= 2.1.0	2.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on improper ACL validation for transactional/idempotent Produce requests. Analysis of Kafka's architecture indicates:

KafkaApis.handleProducerRequest is the entry point for processing Produce requests and would be responsible for initiating authorization checks
Authorizer.authorize is the core ACL validation mechanism that would require context-aware checks for transactional operations
The CVE description explicitly mentions bypassing of transaction/idempotent ACL validation, implicating these core request processing and authorization functions
While exact patch details are unavailable, the vulnerability pattern matches missing context-specific validation in these critical path functions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2018-17196: Improper Input Validation in Apache Kafka

CVE-2018-17196:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2018-17196: Improper Input Validation in Apache Kafka

8.8

8.8

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI