GHSA-q2xx-f8r3-9mg5 · Severity: high · Ecosystem: maven — STRIMZI incorrect access control
Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.
Conclusion & alert: CVE-2024-36543 is rated Moderate Risk (53.7/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.53%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.12% | 0.53% | +0.41% |
| 2 | 2025-11-21 | 0.35% | 0.12% | -0.23% |
| 3 | 2025-11-18 | — | 0.35% | — |
Full EPSS history (8 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-q2xx-f8r3-9mg5 · Severity: high · Ecosystem: maven — STRIMZI incorrect access control
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||