Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authorization checks in the Transactions API.

CVE
#auth

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are cribbed directly (though by hand, so not infallibly!) from mainline kafka. In plain english, to add offsets to the transaction, you need WRITE permissions for the transactional ID and READ permissions for the group.

To be perfectly honest I’m not 100% on the semantics here, but, to my understanding, the request is ill-formed if those conditions aren’t met.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907