In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

Affected Packages

Maven org.apache.kafka:kafka

Affected versions: 0.9.0.0 (fixed in 0.10.2.2)

Maven org.apache.kafka:kafka

Affected versions: 0.11.0.0 (fixed in 0.11.0.3)

Maven org.apache.kafka:kafka

Affected versions: 1.0.0 (fixed in 1.0.1)

Related CVEs

CVE-2018-1288

Key Information

GHSA ID

GHSA-gh27-38p5-mrxc

Published

May 13, 2022 1:02 AM

Last Modified

June 29, 2022 10:43 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.kafka:kafka

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 14, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.