CVE-2017-12610 - Medium Severity Vulnerability
Vulnerable Library - kafka-clients-0.11.0.0.jar
Library home page: http://kafka.apache.org
Path to dependency file: /dd-java-agent/instrumentation/kafka-clients-0.11/kafka-clients-0.11.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/0.11.0.0/8f51f9b62923a1b35e31b613020ea5ef7df27d8f/kafka-clients-0.11.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/0.11.0.0/8f51f9b62923a1b35e31b613020ea5ef7df27d8f/kafka-clients-0.11.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/0.11.0.0/8f51f9b62923a1b35e31b613020ea5ef7df27d8f/kafka-clients-0.11.0.0.jar,/caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/0.11.0.0/8f51f9b62923a1b35e31b613020ea5ef7df27d8f/kafka-clients-0.11.0.0.jar
Dependency Hierarchy:
- ❌ kafka-clients-0.11.0.0.jar (Vulnerable Library)
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Vulnerability Details
In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.
Publish Date: 2018-07-26
URL: CVE-2017-12610
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xm78-4m3g-7wm7
Release Date: 2018-07-26
Fix Resolution: 0.11.0.2
⛑️ Automatic Remediation is available for this issue
CVE-2017-12610 - Medium Severity Vulnerability
Library home page: http://kafka.apache.org
Path to dependency file: /dd-java-agent/instrumentation/kafka-clients-0.11/kafka-clients-0.11.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/0.11.0.0/8f51f9b62923a1b35e31b613020ea5ef7df27d8f/kafka-clients-0.11.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/0.11.0.0/8f51f9b62923a1b35e31b613020ea5ef7df27d8f/kafka-clients-0.11.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/0.11.0.0/8f51f9b62923a1b35e31b613020ea5ef7df27d8f/kafka-clients-0.11.0.0.jar,/caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/0.11.0.0/8f51f9b62923a1b35e31b613020ea5ef7df27d8f/kafka-clients-0.11.0.0.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.
Publish Date: 2018-07-26
URL: CVE-2017-12610
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-xm78-4m3g-7wm7
Release Date: 2018-07-26
Fix Resolution: 0.11.0.2
⛑️ Automatic Remediation is available for this issue