Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.
The error lies in improper access control (CWE-400) of the MirrorMaker REST API in STRIMZI. An attacker can send requests to the Kafka Connect REST API without authentication, allowing them to create malicious connectors. Through such a connector, it is possible to bypass Kafka access control lists (ACL) and redirect mirrored topic copying to an external Kafka cluster controlled by the attacker. Additionally, by querying the API, the attacker can obtain SASL credentials used by the service.
An attacker can cause denial of service (DoS) for Kafka Mirroring, steal confidential data from Kafka topics by mirroring them to their own cluster, bypass Kafka ACL mechanisms, and obtain SASL authentication credentials.
Apply patches available from the vendor according to the references. It is recommended to update to a version higher than 0.41.0 and restrict network access to the Kafka Connect REST API at the firewall or network level, so that the API is not accessible to unauthorized clients.
STRIMZI Project version 0.41.0 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H