VDB

CVE-2021-38153

CVE-2021-38153 PUBLISHED

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

EPSS 1.52% · 81.6th percentile

Risk Scores

EPSS Score
1.52%
81.6th percentile

Affected Products

VendorProductVersions
Bitnamikafka2.0.0, 2.7.0, 2.8.0
Bitnamikafka2.0.0, 2.7.0, 2.8.0

Exploit Intelligence

Timeline

  • CVE Published
  • Sep 23, 2021 EPSS Score
  • Oct 5, 2021 EPSS Score
  • Oct 8, 2021 EPSS Score
  • Oct 13, 2021 EPSS Score
  • Oct 27, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 8, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 10, 2022 EPSS Score
  • Sep 2, 2022 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›