GHSA-3j6g-hxx5-3q26

Suggest an improvement
Source
https://github.com/advisories/GHSA-3j6g-hxx5-3q26
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-3j6g-hxx5-3q26/GHSA-3j6g-hxx5-3q26.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3j6g-hxx5-3q26
Aliases
Published
2021-09-23T23:18:58Z
Modified
2024-10-22T05:28:59.273186Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Observable Discrepancy in Apache Kafka
Details

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Database specific 
{
    "nvd_published_at": "2021-09-22T09:15:00Z",
    "cwe_ids": [
        "CWE-203"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-23T16:45:11Z"
}
References

Affected packages

Maven / org.apache.kafka:kafka_2.11

Package

Name
org.apache.kafka:kafka_2.11
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka_2.11

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Last affected
2.4.1

Affected versions

2.*

2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.4.0
2.4.1

Maven / org.apache.kafka:kafka_2.12

Package

Name
org.apache.kafka:kafka_2.12
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka_2.12

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.6.3

Affected versions

2.*

2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2

Maven / org.apache.kafka:kafka_2.12

Package

Name
org.apache.kafka:kafka_2.12
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka_2.12

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.2

Affected versions

2.*

2.7.0
2.7.1

Maven / org.apache.kafka:kafka_2.12

Package

Name
org.apache.kafka:kafka_2.12
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka_2.12

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.1

Affected versions

2.*

2.8.0

Maven / org.apache.kafka:kafka_2.13

Package

Name
org.apache.kafka:kafka_2.13
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka_2.13

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.0
Fixed
2.6.3

Affected versions

2.*

2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2

Maven / org.apache.kafka:kafka_2.13

Package

Name
org.apache.kafka:kafka_2.13
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka_2.13

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.2

Affected versions

2.*

2.7.0
2.7.1

Maven / org.apache.kafka:kafka_2.13

Package

Name
org.apache.kafka:kafka_2.13
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka_2.13

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.1

Affected versions

2.*

2.8.0

Maven / org.apache.kafka:kafka-clients

Package

Name
org.apache.kafka:kafka-clients
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka-clients

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.6.3

Affected versions

2.*

2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2

Maven / org.apache.kafka:kafka-clients

Package

Name
org.apache.kafka:kafka-clients
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka-clients

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.2

Affected versions

2.*

2.7.0
2.7.1

Maven / org.apache.kafka:kafka-clients

Package

Name
org.apache.kafka:kafka-clients
View open source insights on deps.dev
Purl
pkg:maven/org.apache.kafka/kafka-clients

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.1

Affected versions

2.*

2.8.0