VDB
SNYK-JAVA-ORGAPACHEKAFKA-1540736
SNYK-JAVA-ORGAPACHEKAFKA-1540736
PUBLISHED
CVSS 6.800000190734863 MEDIUM
## Overview Affected versions of this package are vulnerable to Timing Attack. Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to brute force attacks by malicious users. ## Remediation Upgrade `org.apache.kafka:connect-runtime` to version 2.8.1, 2.7.2 or higher. ## References - [GitHub Commit](https://github.com/apache/kafka/commit/00c086e9087c3163cb0502bf0067bae4d401d66e) - [GitHub Commit](https://github.com/apache/kafka/commit/3325342fecba56c2f5b28d60ca37605a7ebf420a) - [GitHub Commit](https://github.com/apache/kafka/commit/be5889d1d110abfd2f580d88b109a9a0c8e7b2d6) - [GitHub Commit](https://github.com/apache/kafka/commit/d7abd32f3569a65a4b59c7dd8a655b17ffa1b455)
Risk Scores
CVSS v3.1
6.800000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 2.8.0, 0, 0 |
Timeline
- Aug 13, 2021 CVE Updated
- Sep 21, 2021 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEKAFKA-1540736 advisory
- https://github.com/apache/kafka/commit/00c086e9087c3163cb0502bf0067bae4d401d66e patch
- https://github.com/apache/kafka/commit/3325342fecba56c2f5b28d60ca37605a7ebf420a patch
- https://github.com/apache/kafka/commit/be5889d1d110abfd2f580d88b109a9a0c8e7b2d6 patch
- https://github.com/apache/kafka/commit/d7abd32f3569a65a4b59c7dd8a655b17ffa1b455 patch