CVE-2021-38153

Vulnerable Component Details
Type Namespace Name Version Package URL
maven org.apache.kafka kafka-clients 2.6.2 pkg:maven/org.apache.kafka/kafka-clients@2.6.2?type=jar
Vulnerability Details
ID CVE-2021-38153
Description Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Ratings
Severity Score Method Vector Source
5.9 CVSSv3 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Found By Sonotype OSS-Index
References / Advisories
Weakness Enumeration