Kafka
CVE-2018-1288
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionNVD
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.
AnalysisAI
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss. Affected products include: Apache Kafka, Redhat Jboss Middleware Text-Only Advisories, Oracle Database, Oracle Primavera P6 Enterprise Project Portfolio Management, Oracle Timesten In-Memory Database.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk facto
A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requi
A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
A security vulnerability has been identified in Apache Kafka. Rated high severity (CVSS 7.5), this vulnerability is remo
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correc
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks
Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Rated medium severity (CVSS
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today