CVE-2018-1288
Improper Control of Generation of Code in Apache Kafka
5.4
MEDIUM
CVSS 3.1
EPSS 0.69%
Description
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.
How to fix CVE-2018-1288
To remediate CVE-2018-1288, upgrade the affected package to a fixed version below.
- —upgrade to 0.10.2.2 or later
Is CVE-2018-1288 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 0.9.0.0, < 0.10.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
References (11)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1288
- WEBaccess.redhat.com/errata/RHSA-2018:3768
- WEBlists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef@%3Cusers.kafka.apache.org%3E
- WEBlists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E