BIT-kafka-2021-38153

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/kafka/BIT-kafka-2021-38153.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-kafka-2021-38153

Aliases

Published

2024-03-06T10:54:31.089Z

Modified

2024-10-15T05:42:19.120204Z

Summary

[none]

Details

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Database specific

{
    "cpes": [
        "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:kafka:2.8.0:-:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / kafka

Package

Name: kafka
Purl: pkg:bitnami/kafka

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0

Fixed

2.6.3

Introduced

2.7.0

Fixed

2.7.2

Type: SEMVER
Events: Introduced

2.8.0

Last affected

2.8.0