[ https://issues.apache.org/jira/browse/KAFKA-12324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17283584#comment-17283584 ]
Dongjin Lee commented on KAFKA-12324: ------------------------------------- I am now working on this issue. But the Jetty's upgrade is a little bit complicated than expected for API changes. > Upgrade jetty to fix CVE-2020-27218 > ----------------------------------- > > Key: KAFKA-12324 > URL: https://issues.apache.org/jira/browse/KAFKA-12324 > Project: Kafka > Issue Type: Bug > Affects Versions: 2.7.0 > Reporter: John Stacy > Assignee: Dongjin Lee > Priority: Major > > h3. CVE-2020-27218 Detail > In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to > 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body > inflation is enabled and requests from different clients are multiplexed onto > a single connection, and if an attacker can send a request with a body that > is received entirely but not consumed by the application, then a subsequent > request on the same connection will see that body prepended to its body. The > attacker will not see any data but may inject data into the body of the > subsequent request. -- This message was sent by Atlassian Jira (v8.3.4#803005)