CVE-2018-1288

In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

Published: Jul 26, 2018
Updated: Nov 8, 2023
CVE: CVE-2018-1288
GHSA: GHSA-gh27-38p5-mrxc
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:N/I:P/A:P

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
apache / kafka	0.9.0.0.x	0.9.0.1.x
apache / kafka	0.10.0.0	0.10.2.1.x
apache / kafka	0.11.0.0	0.11.0.2.x
apache / kafka	1.0.0	1.0.0.x
redhat / jboss_middleware_text-only_advisories	1.0	1.0.x
oracle / database	12.1.0.2	12.1.0.2.x
oracle / database	11.2.0.4	11.2.0.4.x
oracle / database	12.2.0.1	12.2.0.1.x
oracle / database	18c	18c.x
oracle / primavera_p6_enterprise_project_portfolio_management	19.12.0.0	19.12.6.0.x
oracle / timesten_in-memory_database	-	18.1.2.1.0
oracle / database	19c	19c.x
org.apache.kafka / kafka	0.9.0.0	0.10.2.2
org.apache.kafka / kafka	0.11.0.0	0.11.0.3
org.apache.kafka / kafka	1.0.0	1.0.0.x
org.apache.kafka / kafka	1.0.0	1.0.1

Vulnerability Database

289,599

CVE-2018-1288