fvaleri commented on code in PR #531: URL: https://github.com/apache/kafka-site/pull/531#discussion_r1252964157
########## cve-list.html: ########## @@ -9,6 +9,44 @@ <h1>Apache Kafka Security Vulnerabilities</h1> This page lists all security vulnerabilities fixed in released versions of Apache Kafka. + <h2 id="CVE-2023-34455"><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34455">CVE-2023-34455</a> Clients using Snappy compression may cause out of memory error on brokers</h2> + + <p> This CVE identifies a vulnerability in snappy-java which could be used to cause an Out-of-Memory (OOM) condition, leading to Denial-of-Service(DoS) on the Kafka broker. + The vulnerability allows any user who can producer data to the broker to exploit the vulnerability by sending a malicious payload in the record which is compressed using snappy. For more details on the vulnerability, please refer to the following + link: <a href="https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh">snappy-java GitHub advisory.</a> + </p> + + <table class="data-table"> + <tbody> + <tr> + <td>Versions affected</td> + <td>0.8.0 - 3.5.0</td> + </tr> + <tr> + <td>Fixed versions</td> + <td>3.5.1 (in-progress, <a href="https://lists.apache.org/thread/fkqy14bx8dc2ffrtvxyrg5f9fobjd2fd">tentative release end of July 2023</a>)</td> + </tr> + <tr> + <td>Impact</td> + <td> This vulnerability allows any user who can produce data to the broker to exploit the vulnerability, potentially causing an Out-of-Memory (OOM) condition, leading to Denial-of-Service(DoS) on the Kafka broker. It could be exploited Review Comment: Thanks. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org