CVE-2021-38153 – org.apache.kafka:kafka_2.11

Package

Manager: maven
Name: org.apache.kafka:kafka_2.11
Vulnerable Version: >=2.0.0 <=2.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00978 pctl0.75863

Details

Observable Discrepancy in Apache Kafka Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Metadata

Created: 2021-09-23T23:18:58Z
Modified: 2022-02-08T20:43:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-3j6g-hxx5-3q26/GHSA-3j6g-hxx5-3q26.json
CWE IDs: ["CWE-203"]
Alternative ID: GHSA-3j6g-hxx5-3q26
Finding: F026
Auto approve: 1