All the vulnerabilites related to Apache Software Foundation - Apache Kafka
cve-2024-27309
Vulnerability from cvelistv5
Published
2024-04-12 06:58
Modified
2024-08-02 00:28
Severity ?
Summary
Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "kafka",
            "vendor": "apache",
            "versions": [
              {
                "lessThanOrEqual": "3.5.2",
                "status": "affected",
                "version": "3.5.0",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "3.6.1",
                "status": "affected",
                "version": "3.6.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-27309",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-08T18:38:58.405732Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-08T20:13:14.394Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:28:00.345Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/6536rmzyg076lzzdw2xdktvnz163mjpy"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/12/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240705-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Kafka",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.5.2",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "3.6.1",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003eWhile an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eTwo preconditions are needed to trigger the bug:\u003cbr\u003e1. The administrator decides to remove an ACL\u003cbr\u003e2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal.\u003cbr\u003e\u003cbr\u003eWhen those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or more that would be correct.\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eThe incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource. Once the migration is completed, there is no metadata loss (the ACLs all remain).\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eThe full impact depends on the ACLs in use. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. if DENY ACLs were configured, the impact could include confidentiality and integrity impact depending on the ACLs configured, as the DENY ACLs might be ignored due to this vulnerability during the migration period.\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e"
            }
          ],
          "value": "While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced.\n\nTwo preconditions are needed to trigger the bug:\n1. The administrator decides to remove an ACL\n2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal.\n\nWhen those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or more that would be correct.\n\nThe incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource. Once the migration is completed, there is no metadata loss (the ACLs all remain).\n\nThe full impact depends on the ACLs in use. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. if DENY ACLs were configured, the impact could include confidentiality and integrity impact depending on the ACLs configured, as the DENY ACLs might be ignored due to this vulnerability during the migration period.\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "critical"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-12T06:58:45.134Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/6536rmzyg076lzzdw2xdktvnz163mjpy"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/04/12/3"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240705-0002/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-27309",
    "datePublished": "2024-04-12T06:58:45.134Z",
    "dateReserved": "2024-02-22T18:32:26.014Z",
    "dateUpdated": "2024-08-02T00:28:00.345Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2017-12610
Vulnerability from cvelistv5
Published
2018-07-26 14:00
Modified
2024-09-17 01:10
Severity ?
Summary
In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:43:56.182Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[kafka-users] 20180726 CVE-2017-12610: Authenticated Kafka clients may impersonate other users",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b6157be1a09df332294213bd21e90dcf9fe4c1810193be54620e4210%40%3Cusers.kafka.apache.org%3E"
          },
          {
            "name": "104899",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104899"
          },
          {
            "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Kafka",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "0.10.0.0 to 0.10.2.1"
            },
            {
              "status": "affected",
              "version": "0.11.0.0 to 0.11.0.1"
            }
          ]
        }
      ],
      "datePublic": "2018-07-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-15T02:22:55",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[kafka-users] 20180726 CVE-2017-12610: Authenticated Kafka clients may impersonate other users",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b6157be1a09df332294213bd21e90dcf9fe4c1810193be54620e4210%40%3Cusers.kafka.apache.org%3E"
        },
        {
          "name": "104899",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104899"
        },
        {
          "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2018-07-26T00:00:00",
          "ID": "CVE-2017-12610",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Kafka",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "0.10.0.0 to 0.10.2.1"
                          },
                          {
                            "version_value": "0.11.0.0 to 0.11.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[kafka-users] 20180726 CVE-2017-12610: Authenticated Kafka clients may impersonate other users",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b6157be1a09df332294213bd21e90dcf9fe4c1810193be54620e4210@%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "104899",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104899"
            },
            {
              "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2017-12610",
    "datePublished": "2018-07-26T14:00:00Z",
    "dateReserved": "2017-08-07T00:00:00",
    "dateUpdated": "2024-09-17T01:10:36.261Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-38153
Vulnerability from cvelistv5
Published
2021-09-22 09:05
Modified
2024-08-04 01:37
Severity ?
Summary
Timing Attack Vulnerability for Apache Kafka Connect and Clients
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:37:15.929Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kafka.apache.org/cve-list"
          },
          {
            "name": "[kafka-dev] 20211007 Re: CVE Back Port?",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-users] 20211012 [VOTE] 2.6.3 RC0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-users] 20211012 [VOTE] 2.7.2 RC0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Kafka",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.0.1",
              "status": "affected",
              "version": "Apache Kafka 2.0.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.1.1",
              "status": "affected",
              "version": "Apache Kafka 2.1.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.2.2",
              "status": "affected",
              "version": "Apache Kafka 2.2.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.3.1",
              "status": "affected",
              "version": "Apache Kafka 2.3.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.4.1",
              "status": "affected",
              "version": "Apache Kafka 2.4.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.5.1",
              "status": "affected",
              "version": "Apache Kafka 2.5.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.6.2",
              "status": "affected",
              "version": "Apache Kafka 2.6.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.7.1",
              "status": "affected",
              "version": "Apache Kafka 2.7.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.8.0",
              "status": "affected",
              "version": "Apache Kafka 2.8.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Kafka would like to thank J. Santilli for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-203",
              "description": "CWE-203 Observable Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:31:36",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kafka.apache.org/cve-list"
        },
        {
          "name": "[kafka-dev] 20211007 Re: CVE Back Port?",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-users] 20211012 [VOTE] 2.6.3 RC0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-users] 20211012 [VOTE] 2.7.2 RC0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Timing Attack Vulnerability for Apache Kafka Connect and Clients",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-38153",
          "STATE": "PUBLIC",
          "TITLE": "Timing Attack Vulnerability for Apache Kafka Connect and Clients"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Kafka",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kafka 2.0.x",
                            "version_value": "2.0.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kafka 2.1.x",
                            "version_value": "2.1.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kafka 2.2.x",
                            "version_value": "2.2.2"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kafka 2.3.x",
                            "version_value": "2.3.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kafka 2.4.x",
                            "version_value": "2.4.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kafka 2.5.x",
                            "version_value": "2.5.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kafka 2.6.x",
                            "version_value": "2.6.2"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kafka 2.7.x",
                            "version_value": "2.7.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Kafka 2.8.x",
                            "version_value": "2.8.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Kafka would like to thank J. Santilli for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-203 Observable Discrepancy"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kafka.apache.org/cve-list",
              "refsource": "MISC",
              "url": "https://kafka.apache.org/cve-list"
            },
            {
              "name": "[kafka-dev] 20211007 Re: CVE Back Port?",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-users] 20211012 [VOTE] 2.6.3 RC0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-users] 20211012 [VOTE] 2.7.2 RC0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cdev.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-38153",
    "datePublished": "2021-09-22T09:05:11",
    "dateReserved": "2021-08-06T00:00:00",
    "dateUpdated": "2024-08-04T01:37:15.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-34917
Vulnerability from cvelistv5
Published
2022-09-20 08:35
Modified
2024-08-03 09:22
Severity ?
Summary
Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers
References
https://kafka.apache.org/cve-listx_refsource_MISC
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:22:10.826Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kafka.apache.org/cve-list"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Kafka",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Kafka 2.8.0 2.8.0 "
            },
            {
              "status": "affected",
              "version": "Apache Kafka 2.8.1 2.8.1"
            },
            {
              "status": "affected",
              "version": "Apache Kafka 3.0.0 3.0.0"
            },
            {
              "status": "affected",
              "version": "Apache Kafka 3.0.1 3.0.1"
            },
            {
              "status": "affected",
              "version": "Apache Kafka 3.1.0 3.1.0"
            },
            {
              "status": "affected",
              "version": "Apache Kafka 3.1.1 3.1.1"
            },
            {
              "status": "affected",
              "version": "Apache Kafka 3.2.0 3.2.0"
            },
            {
              "status": "affected",
              "version": "Apache Kafka 3.2.1 3.2.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Kafka would like to thank Mickael Maison, Tom Bentley and Daniel Collins for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "High"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-20T08:35:07",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kafka.apache.org/cve-list"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-34917",
          "STATE": "PUBLIC",
          "TITLE": "Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Kafka",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_name": "Apache Kafka 2.8.0",
                            "version_value": "2.8.0 "
                          },
                          {
                            "version_affected": "=",
                            "version_name": "Apache Kafka 2.8.1",
                            "version_value": "2.8.1"
                          },
                          {
                            "version_affected": "=",
                            "version_name": "Apache Kafka 3.0.0",
                            "version_value": "3.0.0"
                          },
                          {
                            "version_affected": "=",
                            "version_name": "Apache Kafka 3.0.1",
                            "version_value": "3.0.1"
                          },
                          {
                            "version_affected": "=",
                            "version_name": "Apache Kafka 3.1.0",
                            "version_value": "3.1.0"
                          },
                          {
                            "version_affected": "=",
                            "version_name": "Apache Kafka 3.1.1",
                            "version_value": "3.1.1"
                          },
                          {
                            "version_affected": "=",
                            "version_name": "Apache Kafka 3.2.0",
                            "version_value": "3.2.0"
                          },
                          {
                            "version_affected": "=",
                            "version_name": "Apache Kafka 3.2.1",
                            "version_value": "3.2.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Kafka would like to thank Mickael Maison, Tom Bentley and Daniel Collins for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "High"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-789: Memory Allocation with Excessive Size Value"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kafka.apache.org/cve-list",
              "refsource": "MISC",
              "url": "https://kafka.apache.org/cve-list"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-34917",
    "datePublished": "2022-09-20T08:35:07",
    "dateReserved": "2022-07-04T00:00:00",
    "dateUpdated": "2024-08-03T09:22:10.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-1288
Vulnerability from cvelistv5
Published
2018-07-26 14:00
Modified
2024-09-17 02:52
Severity ?
Summary
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:59:37.669Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[kafka-users] 20180726 CVE-2018-1288: Authenticated Kafka clients may interfere with data replication",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef%40%3Cusers.kafka.apache.org%3E"
          },
          {
            "name": "104900",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104900"
          },
          {
            "name": "RHSA-2018:3768",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3768"
          },
          {
            "name": "[kafka-commits] 20190802 [kafka-site] branch asf-site updated: Add CVE-2018-17196, fix some links. (#223)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/d1581fb6464c9bec8a72575c01f5097d68e2fbb230aff24622622a58%40%3Ccommits.kafka.apache.org%3E"
          },
          {
            "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
          },
          {
            "name": "[flink-issues] 20200402 [GitHub] [flink] zentol opened a new pull request #11617: [FLINK-16389][kafka] Bump kafka version to 0.10.2.2",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r07e1bbd1643847d599feb34c707906a4fdcc81e3a6ab01a10c451d40%40%3Cissues.flink.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "name": "[kafka-dev] 20211007 Re: CVE Back Port?",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Kafka",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "0.9.0.0 to 0.9.0.1"
            },
            {
              "status": "affected",
              "version": "0.10.0.0 to 0.10.2.1"
            },
            {
              "status": "affected",
              "version": "0.11.0.0 to 0.11.0.2"
            },
            {
              "status": "affected",
              "version": "1.0.0"
            }
          ]
        }
      ],
      "datePublic": "2018-07-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-07T15:06:12",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[kafka-users] 20180726 CVE-2018-1288: Authenticated Kafka clients may interfere with data replication",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef%40%3Cusers.kafka.apache.org%3E"
        },
        {
          "name": "104900",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104900"
        },
        {
          "name": "RHSA-2018:3768",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3768"
        },
        {
          "name": "[kafka-commits] 20190802 [kafka-site] branch asf-site updated: Add CVE-2018-17196, fix some links. (#223)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/d1581fb6464c9bec8a72575c01f5097d68e2fbb230aff24622622a58%40%3Ccommits.kafka.apache.org%3E"
        },
        {
          "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
        },
        {
          "name": "[flink-issues] 20200402 [GitHub] [flink] zentol opened a new pull request #11617: [FLINK-16389][kafka] Bump kafka version to 0.10.2.2",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r07e1bbd1643847d599feb34c707906a4fdcc81e3a6ab01a10c451d40%40%3Cissues.flink.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "name": "[kafka-dev] 20211007 Re: CVE Back Port?",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2018-07-26T00:00:00",
          "ID": "CVE-2018-1288",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Kafka",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "0.9.0.0 to 0.9.0.1"
                          },
                          {
                            "version_value": "0.10.0.0 to 0.10.2.1"
                          },
                          {
                            "version_value": "0.11.0.0 to 0.11.0.2"
                          },
                          {
                            "version_value": "1.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[kafka-users] 20180726 CVE-2018-1288: Authenticated Kafka clients may interfere with data replication",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef@%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "104900",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104900"
            },
            {
              "name": "RHSA-2018:3768",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3768"
            },
            {
              "name": "[kafka-commits] 20190802 [kafka-site] branch asf-site updated: Add CVE-2018-17196, fix some links. (#223)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/d1581fb6464c9bec8a72575c01f5097d68e2fbb230aff24622622a58@%3Ccommits.kafka.apache.org%3E"
            },
            {
              "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
            },
            {
              "name": "[flink-issues] 20200402 [GitHub] [flink] zentol opened a new pull request #11617: [FLINK-16389][kafka] Bump kafka version to 0.10.2.2",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r07e1bbd1643847d599feb34c707906a4fdcc81e3a6ab01a10c451d40@%3Cissues.flink.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "[kafka-dev] 20211007 Re: CVE Back Port?",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2018-1288",
    "datePublished": "2018-07-26T14:00:00Z",
    "dateReserved": "2017-12-07T00:00:00",
    "dateUpdated": "2024-09-17T02:52:05.951Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}