CVE-2021-38153: Information Exposure Through Discrepancy

September 22, 2021 (updated November 9, 2023)

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful.

References

kafka.apache.org/cve-list
nvd.nist.gov/vuln/detail/CVE-2021-38153

Code Behaviors & Features

Detect and mitigate CVE-2021-38153 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →