[ 
https://issues.apache.org/jira/browse/KAFKA-12324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Manikumar resolved KAFKA-12324.
-------------------------------
    Fix Version/s: 2.8.0
                   2.6.2
                   2.7.1
       Resolution: Fixed

Issue resolved by pull request 10177
[https://github.com/apache/kafka/pull/10177]

> Upgrade jetty to fix CVE-2020-27218
> -----------------------------------
>
>                 Key: KAFKA-12324
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12324
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 2.7.0
>            Reporter: John Stacy
>            Assignee: Dongjin Lee
>            Priority: Major
>             Fix For: 2.7.1, 2.6.2, 2.8.0
>
>
> h3. CVE-2020-27218 Detail
> In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 
> 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body 
> inflation is enabled and requests from different clients are multiplexed onto 
> a single connection, and if an attacker can send a request with a body that 
> is received entirely but not consumed by the application, then a subsequent 
> request on the same connection will see that body prepended to its body. The 
> attacker will not see any data but may inject data into the body of the 
> subsequent request.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to