exploitDog

GHSA-3j6g-hxx5-3q26

Опубликовано: 23 сент. 2021

Источник: github

Github: Прошло ревью

CVSS3: 5.9

Описание

Observable Discrepancy in Apache Kafka

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Ссылки

Пакеты

Наименование

org.apache.kafka:kafka_2.11

maven

Затронутые версииВерсия исправления

>= 2.0.0, <= 2.4.1

Отсутствует

Наименование

org.apache.kafka:kafka_2.12

maven

Затронутые версииВерсия исправления

>= 2.0.0, < 2.6.3

2.6.3

Наименование

org.apache.kafka:kafka_2.12

maven

Затронутые версииВерсия исправления

>= 2.7.0, < 2.7.2

2.7.2

Наименование

org.apache.kafka:kafka_2.12

maven

Затронутые версииВерсия исправления

= 2.8.0

2.8.1

Наименование

org.apache.kafka:kafka_2.13

maven

Затронутые версииВерсия исправления

>= 2.4.0, < 2.6.3

2.6.3

Наименование

org.apache.kafka:kafka_2.13

maven

Затронутые версииВерсия исправления

>= 2.7.0, < 2.7.2

2.7.2

Наименование

org.apache.kafka:kafka_2.13

maven

Затронутые версииВерсия исправления

= 2.8.0

2.8.1

Наименование

org.apache.kafka:kafka-clients

maven

Затронутые версииВерсия исправления

>= 2.0.0, < 2.6.3

2.6.3

Наименование

org.apache.kafka:kafka-clients

maven

Затронутые версииВерсия исправления

>= 2.7.0, < 2.7.2

2.7.2

Наименование

org.apache.kafka:kafka-clients

maven

Затронутые версииВерсия исправления

= 2.8.0

2.8.1

EPSS

Процентиль: 80%

0.01432

Низкий

5.9 Medium

CVSS3

CVE ID

Дефекты

CWE-203

Связанные уязвимости

CVE-2021-38153

CVSS3: 5.9

ubuntu

больше 4 лет назад

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CVE-2021-38153

CVSS3: 5.9

redhat

больше 4 лет назад

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CVE-2021-38153

CVSS3: 5.9

nvd

больше 4 лет назад

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CVE-2021-38153

CVSS3: 5.9

debian

больше 4 лет назад

Some components in Apache Kafka use `Arrays.equals` to validate a pass ...

BDU:2024-00046

CVSS3: 5.9

fstec

больше 4 лет назад

Уязвимость диспетчера сообщений Apache Kafka, позволяющая нарушителю реализовать атаку методом «грубой силы» (brute force)

EPSS

Процентиль: 80%

0.01432

Низкий

5.9 Medium

CVSS3

CVE ID

Дефекты

CWE-203