rite2nikhil commented on a change in pull request #392: URL: https://github.com/apache/kafka-site/pull/392#discussion_r789377878
########## File path: cve-list.html ########## @@ -9,6 +9,31 @@ <h1>Apache Kafka Security Vulnerabilities</h1> This page lists all security vulnerabilities fixed in released versions of Apache Kafka. +<h2><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23307";>CVE-2022-23307</a> Deserialization of Untrusted Data Flaw in Apache Log4j logging library in versions 1.x</h2> + + <p>This CVE identified a flaw where it allows an attacker to send a malicious request with serialized data to the component running <code>log4j 1.x</code> to be deserialized when the chainsaw component is run. Chainsaw is a standalone GUI for viewing log entries in log4j. An attacker not only needs to be able to generate malicious log entries, but also, have the necessary access and permissions to start chainsaw (or if it is already enabled by a customer / consumer of Apache Kafka).</p> + + <table class="data-table"> + <tbody> + <tr> + <td>Versions affected</td> + <td>All AK versions</td> + </tr> + <tr> + <td>Fixed versions</td> + <td>NA</td> Review comment: makes sense -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
