CVE-2021-33924
Description
Confluent Ansible (cp-ansible) version 5.5.0, 5.5.1, 5.5.2 and 6.0.0 is vulnerable to Incorrect Access Control via its auxiliary component that allows remote attackers to access sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Confluent Ansible (cp-ansible) versions 5.5.0-5.5.2 and 6.0.0 expose an unauthenticated auxiliary monitoring component, leaking sensitive metrics and configuration.
Vulnerability
The default deployment of Confluent Ansible (cp-ansible) versions 5.5.0, 5.5.1, 5.5.2, and 6.0.0 enables an auxiliary monitoring component without requiring authentication [2]. This component exposes metrics and configuration values from several Confluent Platform components. The vulnerability is present in the default playbook configuration and does not require any special settings to be reachable [2].
Exploitation
An attacker with network access to the auxiliary component's endpoint can retrieve sensitive information without any authentication or prior knowledge [2]. No user interaction or special privileges are required. The attacker simply sends requests to the exposed endpoint to obtain metrics and configuration data [2].
Impact
Successful exploitation leads to information disclosure of metrics and configuration values from Confluent Platform components [2]. In very specific circumstances, this information can be leveraged for horizontal privilege escalation within some Kafka components, potentially allowing an attacker to gain further access [2].
Mitigation
Confluent released fixed versions cp-ansible 5.5.3 and 6.0.1 in December 2020 [2]. Users should upgrade to these or later versions. No workarounds are documented in the available references [2]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Confluent/cp-ansibledescription
- Range: 5.5.0, 5.5.1, 5.5.2, 6.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A management/monitoring component deployed by default in cp-ansible does not require authentication, exposing metrics and configuration data."
Attack vector
An attacker with network access to the Confluent Platform deployment can reach the unauthenticated auxiliary management component that is enabled by default in cp-ansible versions 5.5.0–5.5.2 and 6.0.0 [ref_id=1]. No prior authentication is required. The component exposes metrics and configuration values from several Platform components, and in very specific circumstances this access can lead to horizontal privilege escalation within some Kafka components [ref_id=1].
Affected code
The advisory does not specify exact file paths or function names. The vulnerable auxiliary component is a management/monitoring component deployed by the cp-ansible playbooks that, in default installations, is enabled without authentication [ref_id=1].
What the fix does
The fix was released in cp-ansible versions 5.5.3 and 6.0.1 in December 2020 [ref_id=1]. The advisory does not include a patch diff, but the remediation requires that the auxiliary management component be configured to require authentication before exposing metrics and configuration data, closing the unauthenticated access path [ref_id=1].
Preconditions
- configThe target must be running a default deployment of cp-ansible versions 5.5.0, 5.5.1, 5.5.2, or 6.0.0
- networkThe attacker must have network access to the auxiliary management component
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- confluent.iomitrex_refsource_MISC
- www.detack.de/en/cve-2021-33924mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.