5.9
CVE-2021-38153
- EPSS 1.19%
- Veröffentlicht 22.09.2021 09:15:07
- Zuletzt bearbeitet 21.11.2024 06:16:30
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
LoginTiming Attack Vulnerability for Apache Kafka Connect and Clients
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Oracle ≫ Communications Brm - Elastic Charging Engine Version < 12.0.0.4.6
Oracle ≫ Communications Brm - Elastic Charging Engine Version12.0.0.5.0
Oracle ≫ Communications Cloud Native Core Policy Version1.15.0
Oracle ≫ Financial Services Analytical Applications Infrastructure Version >= 8.0.6.0 <= 8.0.9.0
Oracle ≫ Financial Services Analytical Applications Infrastructure Version >= 8.1.0.0.0 <= 8.1.20
Oracle ≫ Financial Services Behavior Detection Platform Version >= 8.0.6.0.0 <= 8.0.8.0
Oracle ≫ Financial Services Behavior Detection Platform Version8.1.1.0
Oracle ≫ Financial Services Behavior Detection Platform Version8.1.1.1
Oracle ≫ Financial Services Behavior Detection Platform Version8.1.2.0
Oracle ≫ Financial Services Enterprise Case Management Version8.0.7.1
Oracle ≫ Financial Services Enterprise Case Management Version8.0.7.2
Oracle ≫ Financial Services Enterprise Case Management Version8.0.8.0
Oracle ≫ Financial Services Enterprise Case Management Version8.0.8.1
Oracle ≫ Financial Services Enterprise Case Management Version8.1.1.0
Oracle ≫ Financial Services Enterprise Case Management Version8.1.1.1
Oracle ≫ Primavera Unifier Version18.8
Oracle ≫ Primavera Unifier Version19.12
Oracle ≫ Primavera Unifier Version20.12
Oracle ≫ Primavera Unifier Version21.12
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.19% | 0.789 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
CWE-203 Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.