{"id":"CVE-2018-1288","details":"In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.","aliases":["GHSA-gh27-38p5-mrxc"],"modified":"2026-04-10T04:05:05.961843Z","published":"2018-07-26T14:29:00.547Z","related":["SUSE-SU-2018:2536-1","SUSE-SU-2018:3563-1","openSUSE-SU-2024:10886-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r07e1bbd1643847d599feb34c707906a4fdcc81e3a6ab01a10c451d40%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/d1581fb6464c9bec8a72575c01f5097d68e2fbb230aff24622622a58%40%3Ccommits.kafka.apache.org%3E"},{"type":"WEB","url":"http://www.securityfocus.com/bid/104900"},{"type":"WEB","url":"https://lists.apache.org/thread.html/29f61337323f48c47d4b41d74b9e452bd60e65d0e5103af9a6bb2fef%40%3Cusers.kafka.apache.org%3E"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3768"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/kafka","events":[{"introduced":"0"},{"last_affected":"23c69d62a0cabf06c4db8b338f0ca824dc6d81a7"},{"introduced":"b8642491e78c5a137f5012e31d347c01f3b02339"},{"last_affected":"e89bffd6b2eff799713f560074c657f3f522cd85"},{"introduced":"e18335dd953107a61d89451932de33d33c0fd207"},{"last_affected":"73be1e1168f91ee2a9d68e1d1c75c14018cf7d3a"},{"introduced":"0"},{"last_affected":"aaa7af6d4a11b29d3da9c5d6084530b8fa69be64"},{"introduced":"0"},{"last_affected":"aaa7af6d4a11b29d3da9c5d6084530b8fa69be64"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.9.0.1"},{"introduced":"0.10.0.0"},{"last_affected":"0.10.2.1"},{"introduced":"0.11.0.0"},{"last_affected":"0.11.0.2"},{"introduced":"0"},{"last_affected":"1.0.0"},{"introduced":"0"},{"last_affected":"1.0"}]}}],"versions":["0.10.2.1","0.10.2.1-rc3","0.11.0.2","0.11.0.2-rc0","0.9.0.0","0.9.0.1","1.0.0","1.0.0-rc4"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.2.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18c"}]},{"events":[{"introduced":"0"},{"last_affected":"19c"}]},{"events":[{"introduced":"19.12.0.0"},{"last_affected":"19.12.6.0"}]},{"events":[{"introduced":"0"},{"fixed":"18.1.2.1.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1288.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}]}