CVE-2018-1288

CWE-94 — Code Injection CWE-287 — Improper Authentication6 documents6 sources

Severity

5.4MEDIUM

EPSS

0.7%

top 28.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Timesten In-memory Database Apache Kafka Oracle Primavera P6 Enterprise Project Portfolio Management +3 more

Timeline

PublishedJul 26

Latest updateMay 13

Description

In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages7 packages

▶Mavenorg.apache.kafka:kafka0.9.0.0 — 0.10.2.2+2

▶NVDapache/kafka0.10.0.0 — 0.10.2.1+3

▶CVEListV5apache_software_foundation/apache_kafka4 versions+3

▶NVDoracle/timesten_in-memory_database< 18.1.2.1.0

▶NVDoracle/database5 versions+4

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Improper Control of Generation of Code in Apache Kafka↗2022-05-13

▶

GHSA

Improper Control of Generation of Code in Apache Kafka↗2022-05-13

▶

CVEList

CVE-2018-1288: In Apache Kafka 0↗2018-07-26

▶

📋Vendor Advisories

Red Hat

kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass↗2018-07-26

▶

💬Community

Bugzilla

CVE-2018-1288 kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass↗2018-08-02

▶