CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-30677 – Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar's Apache Kafka Connectors
https://notcve.org/view.php?id=CVE-2025-30677
09 Apr 2025 — Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs. This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access ... • https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56128 – Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption
https://notcve.org/view.php?id=CVE-2024-56128
18 Dec 2024 — Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. Impact: Th... • https://datatracker.ietf.org/doc/html/rfc5802 • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31141 – Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider
https://notcve.org/view.php?id=CVE-2024-31141
19 Nov 2024 — Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables. In applications where Apache Kafka Clients configurat... • https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv • CWE-269: Improper Privilege Management CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27309 – Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode
https://notcve.org/view.php?id=CVE-2024-27309
12 Apr 2024 — While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal. When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or m... • http://www.openwall.com/lists/oss-security/2024/04/12/3 • CWE-863: Incorrect Authorization •