GHSA-mcwh-c9pg-xw43

Source

https://github.com/advisories/GHSA-mcwh-c9pg-xw43

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mcwh-c9pg-xw43

Aliases

Published

2025-06-10T09:30:31Z

Modified

2025-12-11T21:01:12.235418Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Kafka Deserialization of Untrusted Data vulnerability

Details

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource.

Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0

Database specific

{
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2025-06-10T08:15:22Z",
    "github_reviewed_at": "2025-06-10T20:21:18Z",
    "github_reviewed": true
}

References

Affected packages

Maven

org.apache.kafka:kafka_2.10

Package

Name: org.apache.kafka:kafka_2.10; View open source insights on deps.dev
Purl: pkg:maven/org.apache.kafka/kafka_2.10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.0

0.8.1

0.8.1.1

0.8.2-beta

0.8.2.0

0.8.2.1

0.8.2.2

0.9.0.0

0.9.0.1

0.10.0.0

0.10.0.1

0.10.1.0

0.10.1.1

0.10.2.0

0.10.2.1

0.10.2.2

Database specific

last_known_affected_version_range

"< 3.4.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json"

org.apache.kafka:kafka_2.11

Package

Name: org.apache.kafka:kafka_2.11; View open source insights on deps.dev
Purl: pkg:maven/org.apache.kafka/kafka_2.11

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.2-beta

0.8.2.0

0.8.2.1

0.8.2.2

0.9.0.0

0.9.0.1

0.10.0.0

0.10.0.1

0.10.1.0

0.10.1.1

0.10.2.0

0.10.2.1

0.10.2.2

0.11.0.0

0.11.0.1

0.11.0.2

0.11.0.3

1.*

1.0.0

1.0.1

1.0.2

1.1.0

1.1.1

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

2.4.0

2.4.1

Database specific

last_known_affected_version_range

"< 3.4.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json"

org.apache.kafka:kafka_2.12

Package

Name: org.apache.kafka:kafka_2.12; View open source insights on deps.dev
Purl: pkg:maven/org.apache.kafka/kafka_2.12

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0

Affected versions

0.*

0.10.1.1

0.10.2.0

0.10.2.1

0.10.2.2

0.11.0.0

0.11.0.1

0.11.0.2

0.11.0.3

1.*

1.0.0

1.0.1

1.0.2

1.1.0

1.1.1

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

2.4.0

2.4.1

2.5.0

2.5.1

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.7.2

2.8.0

2.8.1

2.8.2

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.3.1

3.3.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json"

org.apache.kafka:kafka_2.13

Package

Name: org.apache.kafka:kafka_2.13; View open source insights on deps.dev
Purl: pkg:maven/org.apache.kafka/kafka_2.13

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0

Affected versions

2.*

2.4.0

2.4.1

2.5.0

2.5.1

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.7.2

2.8.0

2.8.1

2.8.2

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.3.1

3.3.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json"

org.apache.kafka:kafka_2.8.0

Package

Name: org.apache.kafka:kafka_2.8.0; View open source insights on deps.dev
Purl: pkg:maven/org.apache.kafka/kafka_2.8.0

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.0-beta1

0.8.0

0.8.1

0.8.1.1

Database specific

last_known_affected_version_range

"< 3.4.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json"

org.apache.kafka:kafka_2.8.2

Package

Name: org.apache.kafka:kafka_2.8.2; View open source insights on deps.dev
Purl: pkg:maven/org.apache.kafka/kafka_2.8.2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.0-beta1

0.8.0

0.8.1

Database specific

last_known_affected_version_range

"< 3.4.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json"

org.apache.kafka:kafka_2.9.1

Package

Name: org.apache.kafka:kafka_2.9.1; View open source insights on deps.dev
Purl: pkg:maven/org.apache.kafka/kafka_2.9.1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.0-beta1

0.8.0

0.8.1

0.8.1.1

0.8.2-beta

0.8.2.0

0.8.2.1

0.8.2.2

Database specific

last_known_affected_version_range

"< 3.4.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json"

org.apache.kafka:kafka_2.9.2

Package

Name: org.apache.kafka:kafka_2.9.2; View open source insights on deps.dev
Purl: pkg:maven/org.apache.kafka/kafka_2.9.2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.0-beta1

0.8.0

0.8.1

0.8.1.1

0.8.2-beta

0.8.2.0

0.8.2.1

0.8.2.2

Database specific

last_known_affected_version_range

"< 3.4.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json"