Product Research Enterprise Plans Docs

PyPi: Confluent-Kafka

CVE-2019-17543

Transitive

Safety vulnerability ID: 38072

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Oct 14, 2019 Updated at May 07, 2024

Scan your Python projects for vulnerabilities →

Advisory

Confluent-kafka 1.3.0 updates builtin C dependency 'lz4' to v1.9.2 to include a security fix.

Affected package

confluent-kafka

Latest version: 2.4.0

Confluent's Python client for Apache Kafka

Affected versions

Fixed versions

Vulnerability changelog

Confluent's Python client for Apache Kafka

confluent-kafka-python is based on librdkafka v1.3.0, see the [librdkafka v1.3.0 release notes](https://github.com/edenhill/librdkafka/releases/tag/v1.3.0) for a complete list of changes, enhancements, fixes and upgrade considerations.

This is a feature release adding support for KIP-392 Fetch from follower, allowing a consumer to fetch messages from the closest replica to increase throughput and reduce cost.
Features
* KIP-392 - Fetch messages from closest replica / follower (by mhowlett)
* Python 3.8 binary wheel support for OSX and Linux. Windows Python 3.8 binary wheels are not currently available.

Enhancements
* New example using python3 and asyncio (by mhowlett)
* Add warnings for inconsistent security configuration.
* Optimizations to hdr histogram (stats) rollover.
* Print compression type per message-set when debug=msg
* Various doc fixes, updates and enhancements (edenhill , mhowlett)

Fixes
* Fix crash when new topic is not created. (Mostafa Razavi,725)
* Fix stringer/repr for SerializerError class(ferozed, 675)
* Fix consumer_lag in stats when consuming from broker versions <0.11.0.0 (regression in librdkafka v1.2.0).
* Properly handle new Kafka-framed SASL GSSAPI frame semantics on Windows ([2542](https://github.com/edenhill/librdkafka/issues/2542)).
This bug was introduced in v1.2.0 and broke GSSAPI authentication on Windows.
* Fix msgq (re)insertion code to avoid O(N^2) insert sort operations on retry ([2508](https://github.com/edenhill/librdkafka/issues/2508)).
The msgq insert code now properly handles interleaved and overlapping message range inserts, which may occur during Producer retries for
high-throughput applications.
* Fix producer insert msgq regression in v1.2.1 ([2450](https://github.com/edenhill/librdkafka/issues/2450)).
* Upgrade builtin lz4 to 1.9.2 (CVE-2019-17543, [2598](https://github.com/edenhill/librdkafka/issues/2598)).
* Don't trigger error when broker hostname changes ([2591](https://github.com/edenhill/librdkafka/issues/2591)).
* Less strict message.max.bytes check for individual messages ([993](https://github.com/edenhill/librdkafka/issues/993)).
* Don't call timespec_get() on OSX (since it was removed in recent XCode) by maparent .
* LZ4 is available from ProduceRequest 0, not 3 (fixes assert in [2480](https://github.com/edenhill/librdkafka/issues/2480)).
* Address 12 code issues identified by Coverity static code analysis.

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 8.1

CVSS v3 Details

HIGH 8.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 6.8

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL