CVE-2022-34917

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-34917

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-34917.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-34917

Aliases

Withdrawn

2024-09-03T04:41:18.687914Z

Published

2022-09-20T09:15:09Z

Modified

2024-09-03T04:16:18.950074Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.

References

https://kafka.apache.org/cve-list

Affected packages

Git / github.com/apache/kafka

Affected ranges

Type: GIT
Repo: https://github.com/apache/kafka
Events: Introduced

ebb1d6e21cc9213071ee1c6a15ec3411fc215b81

Fixed

3146c6ff4a24cc24d6039037e99edc8930d1958a

Affected versions

2.*

2.8.0

2.8.0-rc2

2.8.1

2.8.1-rc1