[
https://issues.apache.org/jira/browse/KAFKA-12324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dongjin Lee reassigned KAFKA-12324:
-----------------------------------
Assignee: Dongjin Lee
> Upgrade jetty to fix CVE-2020-27218
> -----------------------------------
>
> Key: KAFKA-12324
> URL: https://issues.apache.org/jira/browse/KAFKA-12324
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 2.7.0
> Reporter: John Stacy
> Assignee: Dongjin Lee
> Priority: Major
>
> h3. CVE-2020-27218 Detail
> In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to
> 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body
> inflation is enabled and requests from different clients are multiplexed onto
> a single connection, and if an attacker can send a request with a body that
> is received entirely but not consumed by the application, then a subsequent
> request on the same connection will see that body prepended to its body. The
> attacker will not see any data but may inject data into the body of the
> subsequent request.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
