Allows BPMN designers to declaratively define what values, from an incoming JSON based message, will be used to correlate to a Process or a Process Instance (e.g. Execution)
Apache License 2.0
0
stars
0
forks
source link
CVE-2021-38153 (Medium) detected in kafka-clients-2.3.1.jar #16
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.3.1/kafka-clients-2.3.1.jar,/home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.3.1/kafka-clients-2.3.1.jar
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
CVE-2021-38153 - Medium Severity Vulnerability
Library home page: https://kafka.apache.org
Path to dependency file: /messaging-kafka/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.3.1/kafka-clients-2.3.1.jar,/home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.3.1/kafka-clients-2.3.1.jar
Dependency Hierarchy: - spring-cloud-starter-stream-kafka-3.0.0.RELEASE.jar (Root Library) - spring-cloud-stream-binder-kafka-3.0.0.RELEASE.jar - :x: **kafka-clients-2.3.1.jar** (Vulnerable Library)
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Publish Date: 2021-09-22
URL: CVE-2021-38153
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153
Release Date: 2021-09-22
Fix Resolution (org.apache.kafka:kafka-clients): 2.6.3
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-stream-kafka): 3.1.6