CVE-2018-1288

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 26-07-2018 04:29

Last modified: - 18-04-2022 07:31

Total changes: - 3

Description

In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Low

Attack complexity

Network

Attack vector

Low

Availability

None

Confidentiality

Low

Integrity

Low

Privileges required

Unchanged

Scope

None

User interaction

5.4

Base score

2.8

2.5

Exploitability score

Impact score

Verification logic

vendor=apache AND product=kafka AND versionEndIncluding=0.9.0.1 AND versionStartExcluding=0.9.0.0

vendor=apache AND product=kafka AND versionEndIncluding=0.11.0.2 AND versionStartIncluding=0.11.0.0

vendor=apache AND product=kafka AND version=1.0.0

vendor=apache AND product=kafka AND versionEndIncluding=0.10.2.1 AND versionStartIncluding=0.10.0.0

vendor=Red Hat Enterprise Linux AND product=jboss_middleware_text-only_advisories AND version=1.0 AND target_software=middleware

vendor=oracle AND product=database AND version=11.2.0.4

vendor=oracle AND product=database AND version=12.1.0.2

vendor=oracle AND product=database AND version=12.2.0.1

vendor=oracle AND product=database AND version=18c

vendor=oracle AND product=database AND version=19c

vendor=oracle AND product=primavera_p6_enterprise_project_portfolio_management AND versionEndIncluding=19.12.6.0 AND versionStartIncluding=19.12.0.0

vendor=oracle AND product=timesten_in-memory_database AND versionEndExcluding=18.1.2.1.0

Reference

[kafka-users] 20180726 CVE-2018-1288: Authenticated Kafka clients may interfere with data replication-Mailing List, Vendor Advisory
104900-Broken Link
RHSA-2018:3768-Third Party Advisory
[kafka-commits] 20190802 [kafka-site] branch asf-site updated: Add CVE-2018-17196, fix some links. (#223)-Mailing List, Patch, Vendor Advisory
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities-Mailing List, Vendor Advisory
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities-Mailing List, Vendor Advisory
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities-Mailing List, Vendor Advisory
[flink-issues] 20200402 [GitHub] [flink] zentol opened a new pull request #11617: [FLINK-16389][kafka] Bump kafka version to 0.10.2.2-Mailing List, Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
[kafka-dev] 20211007 Re: CVE Back Port?-Mailing List, Vendor Advisory

Keywords

CVE-2018-1288

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2018-1288

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures