divijvaidya opened a new pull request, #531: URL: https://github.com/apache/kafka-site/pull/531
## Change Add details about CVE-2023-34455 to cve-list section of the website as an action item from discussion in the mailing list secur...@kafka.apache.org. ## FAQs 1. What versions of Kafka are impacted? A. All versions that support Snappy are impacted starting from [Apache Kafka 0.8.0](https://issues.apache.org/jira/browse/KAFKA-187) starting with [snappy-java version 1.0.4.1](https://github.com/apache/kafka/blob/15bb3961d9171c1c54c4c840a554ce2c76168163/project/build/KafkaProject.scala#L249). Note that Apache Kafka (AK) has been using the same Snappy-Java API (SnappyInputStream) [since the beginning](https://github.com/apache/kafka/blob/15bb3961d9171c1c54c4c840a554ce2c76168163/core/src/main/scala/kafka/message/CompressionFactory.scala#L45). 2. What versions of Snappy-Java have this vulnerability? A. [All versions prior to 1.1.10.1](https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh) 3. Which users are impacted? A. All workloads which use snappy based compression are impacted. Even if a user isn't currently using snappy compression, a malicious user can send a produce request containing a record with a malicious payload which is compressed using snappy. ## Testing Result of running the website locally after applying this PR is as follows: ![Screenshot 2023-07-04 at 16 55 44](https://github.com/apache/kafka-site/assets/71267/47fc2057-298c-4028-be97-e82a5e4f849f) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org