BIT-kafka-2021-38153

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/kafka/BIT-kafka-2021-38153.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-kafka-2021-38153
Aliases
Published
2024-03-06T10:54:31.089Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

References

Affected packages

Bitnami / kafka

Package

Name
kafka
Purl
pkg:bitnami/kafka

Severity

  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.6.3
Introduced
2.7.0
Fixed
2.7.2
Type
SEMVER
Events
Introduced
2.8.0
Last affected
2.8.0