divijvaidya opened a new pull request, #531: URL: https://github.com/apache/kafka-site/pull/531
## Change Add details about CVE-2023-34455 to cve-list section of the website as an action item from discussion in the mailing list [email protected]. ## FAQs 1. What versions of Kafka are impacted? A. All versions that support Snappy are impacted starting from [Apache Kafka 0.8.0](https://issues.apache.org/jira/browse/KAFKA-187) starting with [snappy-java version 1.0.4.1](https://github.com/apache/kafka/blob/15bb3961d9171c1c54c4c840a554ce2c76168163/project/build/KafkaProject.scala#L249). Note that Apache Kafka (AK) has been using the same Snappy-Java API (SnappyInputStream) [since the beginning](https://github.com/apache/kafka/blob/15bb3961d9171c1c54c4c840a554ce2c76168163/core/src/main/scala/kafka/message/CompressionFactory.scala#L45). 2. What versions of Snappy-Java have this vulnerability? A. [All versions prior to 1.1.10.1](https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh) 3. Which users are impacted? A. All workloads which use snappy based compression are impacted. Even if a user isn't currently using snappy compression, a malicious user can send a produce request containing a record with a malicious payload which is compressed using snappy. ## Testing Result of running the website locally after applying this PR is as follows:  -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
