GHSA-XRHH-HX36-485Q

Vulnerability from github – Published: 2025-12-05 22:02 – Updated: 2025-12-05 22:02
VLAI?
Summary
Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands
Details

Impact

In some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The exact scenario when this happens is when: * Apache Kafka Connect is deployed without at least one of the following options configured: * TLS encryption with configured trusted certificates (no .spec.tls.trustedCertificates section in the KafkaConnect CR) * mTLS authentication (no type: tls in .spec.authentication section of the KafkaConnect CR) * TLS encryption with configured trusted certificates for type: oauth authentication (no .spec.authentication.tlsTrustedCertificates section in the KafkaConnect CR) * Apache Kafka MirrorMaker2 is deployed without at least one of the following options configured for the target cluster: * TLS encryption with configured trusted certificates (no .spec.target.tls.trustedCertificates section in the KafkaConnect CR) * mTLS authentication (no type: tls in .spec.target.authentication section of the KafkaConnect CR) * TLS encryption with configured trusted certificates for type: oauth authentication (no .spec.target.authentication.tlsTrustedCertificates section in the KafkaConnect CR) * TLS encryption with configured trusted certificates (no .spec.clusters[].tls.trustedCertificates section in the KafkaConnect CR for the target cluster) * mTLS authentication (no type: tls in .spec.clusters[].authentication section of the KafkaConnect CR for the target cluster) * TLS encryption with configured trusted certificates for type: oauth authentication (no .spec.clusters[].authentication.tlsTrustedCertificates section in the KafkaConnect CR for the target cluster)

When the operands configured as described above are deployed with Strimzi >= 0.47.0 and <= 0.49.0, any code running within their Pods and using their Service Account for authentication will be able to GET any Kubernetes Secret from the same namespace. This can be done by executing 3rd party tools from the Pods. Or directly from the Kafka Connect code, for example, using configuration providers or HTTP connectors. The Pods are allowed to only GET the Secrets. They are not allowed to list, watch, modify, or delete the Secrets.

Patches

The issue is fixed in Strimzi 0.49.1.

Workarounds

There is no workaround for this issue when using the affected operands with the affected configurations.

Severity ?
7.4 (High)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.strimzi:strimzi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.47.0"
            },
            {
              "fixed": "0.49.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-05T22:02:37Z",
    "nvd_published_at": "2025-12-05T19:15:52Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn some situations, Strimzi creates an incorrect Kubernetes `Role` which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the `GET` access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The exact scenario when this happens is when:\n* Apache Kafka Connect is deployed without at least one of the following options configured:\n    * TLS encryption with configured trusted certificates (no `.spec.tls.trustedCertificates` section in the `KafkaConnect` CR)\n    * mTLS authentication (no `type: tls` in `.spec.authentication` section of the `KafkaConnect` CR)\n    * TLS encryption with configured trusted certificates for `type: oauth` authentication (no `.spec.authentication.tlsTrustedCertificates` section in the `KafkaConnect` CR)\n* Apache Kafka MirrorMaker2 is deployed without at least one of the following options configured for the target cluster:\n    * TLS encryption with configured trusted certificates (no `.spec.target.tls.trustedCertificates` section in the `KafkaConnect` CR)\n    * mTLS authentication (no `type: tls` in `.spec.target.authentication` section of the `KafkaConnect` CR)\n    * TLS encryption with configured trusted certificates for `type: oauth` authentication (no `.spec.target.authentication.tlsTrustedCertificates` section in the `KafkaConnect` CR)\n    * TLS encryption with configured trusted certificates (no `.spec.clusters[].tls.trustedCertificates` section in the `KafkaConnect` CR for the target cluster)\n    * mTLS authentication (no `type: tls` in `.spec.clusters[].authentication` section of the `KafkaConnect` CR for the target cluster)\n    * TLS encryption with configured trusted certificates for `type: oauth` authentication (no `.spec.clusters[].authentication.tlsTrustedCertificates` section in the `KafkaConnect` CR for the target cluster)\n\nWhen the operands configured as described above are deployed with Strimzi \u003e= 0.47.0 and \u003c= 0.49.0, any code running within their Pods and using their Service Account for authentication will be able to `GET` any Kubernetes Secret from the same namespace. This can be done by executing 3rd party tools from the Pods. Or directly from the Kafka Connect code, for example, using configuration providers or HTTP connectors. The Pods are allowed to only `GET` the Secrets. They are not allowed to list, watch, modify, or delete the Secrets.\n\n### Patches\n\nThe issue is fixed in Strimzi 0.49.1.\n\n### Workarounds\n\nThere is no workaround for this issue when using the affected operands with the affected configurations.",
  "id": "GHSA-xrhh-hx36-485q",
  "modified": "2025-12-05T22:02:37Z",
  "published": "2025-12-05T22:02:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-xrhh-hx36-485q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strimzi/strimzi-kafka-operator/commit/c8a14935e99c91eb0dd865431f46515da9f82ccc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strimzi/strimzi-kafka-operator"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.