Kafka
Monthly
A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.
A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk factors: EPSS 17% exploitation probability.
Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A security vulnerability has been identified in Apache Kafka. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.
A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.
A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk factors: EPSS 17% exploitation probability.
Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A security vulnerability has been identified in Apache Kafka. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.