CVE-2021-38153
- Source
- https://cve.org/CVERecord?id=CVE-2021-38153
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38153.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-38153
- Aliases
- Downstream
- Related
- Published
- 2021-09-22T09:15:07.847Z
- Modified
- 2026-03-10T23:42:19.361978Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Some components in Apache Kafka use
Arrays.equalsto validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. - References
-
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://kafka.apache.org/cve-list
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
Affected packages
Git / github.com/quarkusio/quarkus
Affected ranges
- Type
- GIT
- Repo
- https://github.com/quarkusio/quarkus
- Events
-
IntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "2.0.0" }, { "fixed": "2.6.3" }, { "introduced": "2.7.0" }, { "fixed": "2.7.2" }, { "introduced": "0" }, { "last_affected": "2.8.0-NA" }, { "introduced": "0" }, { "fixed": "2.2.4" } ] }
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.0.0.4.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.0.0.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.15.0"
}
]
},
{
"events": [
{
"introduced": "8.0.6.0"
},
{
"last_affected": "8.0.9.0"
}
]
},
{
"events": [
{
"introduced": "8.1.0.0.0"
},
{
"last_affected": "8.1.20"
}
]
},
{
"events": [
{
"introduced": "8.0.6.0.0"
},
{
"last_affected": "8.0.8.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.1.1.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.1.1.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.1.2.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0.7.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0.7.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0.8.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0.8.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.1.1.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.1.1.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.8"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.12"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "20.12"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "21.12"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38153.json"