org.apache.kafka:kafka-clients@1.1.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.kafka:kafka-clients package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Timing Attack

org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur.

Affected versions of this package are vulnerable to Timing Attack. Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to brute force attacks by malicious users.

How to fix Timing Attack?

Upgrade org.apache.kafka:kafka-clients to version 2.8.1, 2.7.2 or higher.

[2.8.0,2.8.1) [,2.7.2)
  • M
Access Restriction Bypass

org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur.

Affected versions of this package are vulnerable to Access Restriction Bypass. It is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability.

How to fix Access Restriction Bypass?

Upgrade org.apache.kafka:kafka-clients to version 2.1.1 or higher.

[0.11.0.0,2.1.1)