Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-7915

SASL authentication failures may return sensitive data to client

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.2.0
    • Component/s: security
    • Labels:
      None

      Description

      There was a regression from the commit https://github.com/apache/kafka/commit/e8a3bc74254a8e4e4aaca41395177fa4a98b480c#diff-e4c812749f57c982e2570492657ea787 which added the error message from SaslException thrown by the server during authentication into the error response returned to clients. Since this exception may contain sensitive data (e.g. indicating that a user exists but password match failed), we should not return the error to clients. We have a separate exception (`AuthenticationException`) for errors that are safe to propagate to clients.

      The regression was not in any released version, the related commit will only be in 2.2.0, so we just need to fix this before 2.2.0.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rsivaram Rajini Sivaram
                Reporter:
                rsivaram Rajini Sivaram
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: