{"id":"CVE-2021-38153","details":"Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.","aliases":["BIT-kafka-2021-38153","GHSA-3j6g-hxx5-3q26"],"modified":"2026-04-10T04:36:29.768744Z","published":"2021-09-22T09:15:07.847Z","related":["CGA-j3vj-mw6p-cxr8"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E"},{"type":"ADVISORY","url":"https://kafka.apache.org/cve-list"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"ca1e69e9fbc13d531226a7d7a0cab59e835ee167"},{"fixed":"3e61beaf61737e72ee748bb086506009adf00175"},{"introduced":"6378c69703a485f55b3d221493b5f1e3cfdf9003"},{"fixed":"c7555123aaef705d6e35693da4c0daa3db2e9cd7"},{"introduced":"0"},{"last_affected":"66d70929d614e77e0019164cc7d50a1379533e39"},{"introduced":"0"},{"fixed":"d0ffa05fe8b8fb258d6c177ff0427dd71d7d5210"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.6.3"},{"introduced":"2.7.0"},{"fixed":"2.7.2"},{"introduced":"0"},{"last_affected":"2.8.0-NA"},{"introduced":"0"},{"fixed":"2.2.4"}]}}],"versions":["2.8.0.Final"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38153.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"12.0.0.4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"8.0.6.0"},{"last_affected":"8.0.9.0"}]},{"events":[{"introduced":"8.1.0.0.0"},{"last_affected":"8.1.20"}]},{"events":[{"introduced":"8.0.6.0.0"},{"last_affected":"8.0.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.7.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}