Vulnerability-Lookup

WID-SEC-W-2025-1269

Vulnerability from csaf_certbund - Published: 2025-06-09 22:00 - Updated: 2025-08-24 22:00

Summary

Apache Kafka: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Apache Kafka ist eine verteilte Streaming-Plattform mit einer Publish-Subcribe-Architektur (Pub-Sub).

Angriff: Ein Angreifer kann mehrere Schwachstellen in Apache Kafka ausnutzen, um Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial-of-Service auszulösen.

Betroffene Betriebssysteme: - Linux - UNIX

CVE-2025-27817

CVE-2025-27818

CVE-2025-27819

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://seclists.org/oss-sec/2025/q2/235	external
	https://seclists.org/oss-sec/2025/q2/236	external
	https://seclists.org/oss-sec/2025/q2/237	external
	https://github.com/kk12-30/CVE-2025-27817	external
	https://access.redhat.com/errata/RHSA-2025:9922	external
	https://www.ibm.com/support/pages/node/7241535	external
	https://www.ibm.com/support/pages/node/7241547	external
	https://www.ibm.com/support/pages/node/7241589	external
	https://www.ibm.com/support/pages/node/7242900	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Kafka ist eine verteilte Streaming-Plattform mit einer Publish-Subcribe-Architektur (Pub-Sub).",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Apache Kafka ausnutzen, um Informationen offenzulegen, beliebigen Programmcode auszuf\u00fchren oder einen Denial-of-Service auszul\u00f6sen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1269 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1269.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1269 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1269"
      },
      {
        "category": "external",
        "summary": "Mailing List OSS Security vom 2025-06-09",
        "url": "https://seclists.org/oss-sec/2025/q2/235"
      },
      {
        "category": "external",
        "summary": "Mailing List OSS Security vom 2025-06-09",
        "url": "https://seclists.org/oss-sec/2025/q2/236"
      },
      {
        "category": "external",
        "summary": "Mailing List OSS Security vom 2025-06-09",
        "url": "https://seclists.org/oss-sec/2025/q2/237"
      },
      {
        "category": "external",
        "summary": "PoC CVE-2025-27817 vom 2025-06-11",
        "url": "https://github.com/kk12-30/CVE-2025-27817"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:9922 vom 2025-06-30",
        "url": "https://access.redhat.com/errata/RHSA-2025:9922"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7241535 vom 2025-08-06",
        "url": "https://www.ibm.com/support/pages/node/7241535"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7241547 vom 2025-08-06",
        "url": "https://www.ibm.com/support/pages/node/7241547"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7241589 vom 2025-08-06",
        "url": "https://www.ibm.com/support/pages/node/7241589"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7242900 vom 2025-08-22",
        "url": "https://www.ibm.com/support/pages/node/7242900"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Kafka: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-08-24T22:00:00.000+00:00",
      "generator": {
        "date": "2025-08-25T07:21:02.075+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1269",
      "initial_release_date": "2025-06-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-06-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-06-10T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: 2371365, 2371367"
        },
        {
          "date": "2025-06-11T22:00:00.000+00:00",
          "number": "3",
          "summary": "PoC f\u00fcr CVE-2025-27817 aufgenommen"
        },
        {
          "date": "2025-06-30T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-08-06T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-08-24T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von IBM und IBM-APAR aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.0.0",
                "product": {
                  "name": "Apache Kafka \u003c4.0.0",
                  "product_id": "T044458"
                }
              },
              {
                "category": "product_version",
                "name": "4.0.0",
                "product": {
                  "name": "Apache Kafka 4.0.0",
                  "product_id": "T044458-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:kafka:4.0.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.9.1",
                "product": {
                  "name": "Apache Kafka \u003c3.9.1",
                  "product_id": "T044459"
                }
              },
              {
                "category": "product_version",
                "name": "3.9.1",
                "product": {
                  "name": "Apache Kafka 3.9.1",
                  "product_id": "T044459-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:kafka:3.9.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Kafka"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c12.14.0",
                "product": {
                  "name": "IBM App Connect Enterprise \u003c12.14.0",
                  "product_id": "T045927"
                }
              },
              {
                "category": "product_version",
                "name": "12.14.0",
                "product": {
                  "name": "IBM App Connect Enterprise 12.14.0",
                  "product_id": "T045927-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:app_connect_enterprise:12.14.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cLTS 12.0.14",
                "product": {
                  "name": "IBM App Connect Enterprise \u003cLTS 12.0.14",
                  "product_id": "T045928"
                }
              },
              {
                "category": "product_version",
                "name": "LTS 12.0.14",
                "product": {
                  "name": "IBM App Connect Enterprise LTS 12.0.14",
                  "product_id": "T045928-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:app_connect_enterprise:lts_12.0.14"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "13.0.1.0-13.0.4.0",
                "product": {
                  "name": "IBM App Connect Enterprise 13.0.1.0-13.0.4.0",
                  "product_id": "T046467",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:app_connect_enterprise:13.0.1.0_-_13.0.4.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "12.0.1.0-12.0.12.15",
                "product": {
                  "name": "IBM App Connect Enterprise 12.0.1.0-12.0.12.15",
                  "product_id": "T046468",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:app_connect_enterprise:12.0.1.0_-_12.0.12.15"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "App Connect Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "for z/OS 10.1.0.0-10.1.0.5",
                "product": {
                  "name": "IBM Integration Bus for z/OS 10.1.0.0-10.1.0.5",
                  "product_id": "T046469",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:integration_bus:10.1.0.0_-_10.1.0.5::for_zos"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Integration Bus"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.5.0 UP13",
                "product": {
                  "name": "IBM QRadar SIEM \u003c7.5.0 UP13",
                  "product_id": "T045828"
                }
              },
              {
                "category": "product_version",
                "name": "7.5.0 UP13",
                "product": {
                  "name": "IBM QRadar SIEM 7.5.0 UP13",
                  "product_id": "T045828-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up13"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "QRadar SIEM"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.5",
                "product": {
                  "name": "IBM Security Guardium 11.5",
                  "product_id": "1411051",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:security_guardium:11.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Security Guardium"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-27817",
      "product_status": {
        "known_affected": [
          "T046468",
          "T044458",
          "T046469",
          "67646",
          "T044459",
          "T045828",
          "T045927",
          "T045928",
          "T046467",
          "1411051"
        ]
      },
      "release_date": "2025-06-09T22:00:00.000+00:00",
      "title": "CVE-2025-27817"
    },
    {
      "cve": "CVE-2025-27818",
      "product_status": {
        "known_affected": [
          "T046468",
          "T044458",
          "T046469",
          "67646",
          "T044459",
          "T045828",
          "T045927",
          "T045928",
          "T046467",
          "1411051"
        ]
      },
      "release_date": "2025-06-09T22:00:00.000+00:00",
      "title": "CVE-2025-27818"
    },
    {
      "cve": "CVE-2025-27819",
      "product_status": {
        "known_affected": [
          "T046468",
          "T044458",
          "T046469",
          "67646",
          "T044459",
          "T045828",
          "T045927",
          "T045928",
          "T046467",
          "1411051"
        ]
      },
      "release_date": "2025-06-09T22:00:00.000+00:00",
      "title": "CVE-2025-27819"
    }
  ]
}

CVE-2025-27819 (GCVE-0-2025-27819)

Vulnerability from cvelistv5 – Published: 2025-06-10 07:54 – Updated: 2025-06-10 15:15

Title

Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration

Summary

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

URL

Tags

https://kafka.apache.org/cve-list

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Kafka	Affected: 2.0.0 , ≤ 3.3.2 (semver)

Credits

Ziyang Li Ji'an Zhou Ying Zhu

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27819",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-10T14:18:03.922208Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-10T15:15:58.031Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Kafka",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.3.2",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ziyang Li"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ji\u0027an Zhou"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ying Zhu"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eIn CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eSince Apache Kafka 3.4.0, we have added a system property (\"-Dorg.apache.kafka.disallowed.login.modules\") to disable the problematic login modules usage in SASL JAAS configuration. Also by default \"com.sun.security.auth.module.JndiLoginModule\" is disabled in Apache Kafka 3.4.0, and \"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule\" is disabled by default in in Apache Kafka 3.9.1/4.0.0\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource.\n\n\nSince Apache Kafka 3.4.0, we have added a system property (\"-Dorg.apache.kafka.disallowed.login.modules\") to disable the problematic login modules usage in SASL JAAS configuration. Also by default \"com.sun.security.auth.module.JndiLoginModule\" is disabled in Apache Kafka 3.4.0, and \"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule\" is disabled by default in in Apache Kafka 3.9.1/4.0.0"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-10T07:54:41.896Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kafka.apache.org/cve-list"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-27819",
    "datePublished": "2025-06-10T07:54:41.896Z",
    "dateReserved": "2025-03-07T10:02:19.848Z",
    "dateUpdated": "2025-06-10T15:15:58.031Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27818 (GCVE-0-2025-27818)

Vulnerability from cvelistv5 – Published: 2025-06-10 07:52 – Updated: 2026-02-26 17:51

Title

Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration

Summary

A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0). When configuring the broker via config file or AlterConfig command, or connector via the Kafka Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.LdapLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" are disabled in Apache Kafka Connect 3.9.1/4.0.0. We advise the Kafka users to validate connector configurations and only allow trusted LDAP configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally, in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

URL

Tags

https://kafka.apache.org/cve-list

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Kafka	Affected: 2.3.0 , ≤ 3.9.0 (semver)

Credits

罗鑫 <lx2317103712@gmail.com> ra1lgun <ra1lgun@foxmail.com>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-06-10T08:05:24.998Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/06/09/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27818",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-21T03:55:18.338833Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:51:05.352Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Kafka",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.9.0",
              "status": "affected",
              "version": "2.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "\u7f57\u946b \u003clx2317103712@gmail.com\u003e"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "ra1lgun \u003cra1lgun@foxmail.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A possible security vulnerability has been identified in Apache Kafka.\u003cbr\u003eThis requires access to a alterConfig to the\u0026nbsp;cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config\u003cbr\u003eand a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0).\u003cbr\u003eWhen configuring the broker via config file or AlterConfig command, or connector via the Kafka Kafka Connect REST API, an \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated operator\u003c/span\u003e\u0026nbsp;can set the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e`sasl.jaas.config`\u003cbr\u003e\u003c/span\u003eproperty for any of the connector\u0027s Kafka clients to \"com.sun.security.auth.module.LdapLoginModule\", which can be done via the\u003cbr\u003e`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.\u003cbr\u003eThis will allow the server to connect to the attacker\u0027s LDAP server\u003cbr\u003eand deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.\u003cbr\u003eAttacker can cause \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eunrestricted deserialization of untrusted data (or) \u003c/span\u003eRCE vulnerability when there are gadgets in the classpath.\u003cbr\u003e\u003cbr\u003eSince Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box\u003cbr\u003econfigurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector\u003cbr\u003eclient override policy that permits them.\u003cbr\u003e\u003cbr\u003eSince Apache Kafka 3.9.1/4.0.0, we have added a system property (\"-Dorg.apache.kafka.disallowed.login.modules\") to disable the problematic login modules usage\u003cbr\u003ein SASL JAAS configuration. Also by default \"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule\" are disabled in Apache Kafka Connect 3.9.1/4.0.0. \u003cbr\u003e\u003cbr\u003eWe advise the Kafka users to validate connector configurations and only allow trusted LDAP configurations. Also examine connector dependencies for \u003cbr\u003evulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein addition to leveraging the \"org.apache.kafka.disallowed.login.modules\" system property, Kafka Connect users can also implement their own connector\u003cbr\u003eclient config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "A possible security vulnerability has been identified in Apache Kafka.\nThis requires access to a alterConfig to the\u00a0cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config\nand a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0).\nWhen configuring the broker via config file or AlterConfig command, or connector via the Kafka Kafka Connect REST API, an authenticated operator\u00a0can set the `sasl.jaas.config`\nproperty for any of the connector\u0027s Kafka clients to \"com.sun.security.auth.module.LdapLoginModule\", which can be done via the\n`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.\nThis will allow the server to connect to the attacker\u0027s LDAP server\nand deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.\nAttacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.\n\nSince Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box\nconfigurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector\nclient override policy that permits them.\n\nSince Apache Kafka 3.9.1/4.0.0, we have added a system property (\"-Dorg.apache.kafka.disallowed.login.modules\") to disable the problematic login modules usage\nin SASL JAAS configuration. Also by default \"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule\" are disabled in Apache Kafka Connect 3.9.1/4.0.0. \n\nWe advise the Kafka users to validate connector configurations and only allow trusted LDAP configurations. Also examine connector dependencies for \nvulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,\nin addition to leveraging the \"org.apache.kafka.disallowed.login.modules\" system property, Kafka Connect users can also implement their own connector\nclient config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-10T07:52:31.778Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://kafka.apache.org/cve-list"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-27818",
    "datePublished": "2025-06-10T07:52:31.778Z",
    "dateReserved": "2025-03-07T09:34:38.930Z",
    "dateUpdated": "2026-02-26T17:51:05.352Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-27817 (GCVE-0-2025-27817)

Vulnerability from cvelistv5 – Published: 2025-06-10 07:55 – Updated: 2025-06-10 15:15

Title

Apache Kafka Client: Arbitrary file read and SSRF vulnerability

Summary

A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly.

Severity ?

No CVSS data available.

CWE

Arbitrary file read and SSRF vulnerability

Assigner

apache

References

URL

Tags

https://kafka.apache.org/cve-list

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Kafka Client	Affected: 3.1.0 , ≤ 3.9.0 (semver)

Credits

罗鑫 <lx2317103712@gmail.com> 1ue (https://github.com/luelueking) 4ra1n (https://github.com/4ra1n) enokiy <846800628@qq.com> VulTeam of ThreatBook

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-06-10T08:05:23.450Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/06/09/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27817",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-10T14:17:53.791454Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-10T15:15:40.843Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Kafka Client",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.9.0",
              "status": "affected",
              "version": "3.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "\u7f57\u946b \u003clx2317103712@gmail.com\u003e"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "1ue (https://github.com/luelueking)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "4ra1n (https://github.com/4ra1n)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "enokiy \u003c846800628@qq.com\u003e"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "VulTeam of ThreatBook"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eA possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including \"sasl.oauthbearer.token.endpoint.url\" and \"sasl.oauthbearer.jwks.endpoint.url\". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the \"sasl.oauthbearer.token.endpoint.url\" and \"sasl.oauthbearer.jwks.endpoint.url\" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products. \u003c/div\u003e\u003cp\u003eSince Apache Kafka 3.9.1/4.0.0, we have added a system property (\"-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls\") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly.\u003cbr\u003e\u003c/p\u003e\n\n      \u003cbr\u003e"
            }
          ],
          "value": "A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including \"sasl.oauthbearer.token.endpoint.url\" and \"sasl.oauthbearer.jwks.endpoint.url\". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the \"sasl.oauthbearer.token.endpoint.url\" and \"sasl.oauthbearer.jwks.endpoint.url\" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products. \n\nSince Apache Kafka 3.9.1/4.0.0, we have added a system property (\"-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls\") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Arbitrary file read and SSRF vulnerability",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-10T07:55:14.422Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kafka.apache.org/cve-list"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Kafka Client: Arbitrary file read and SSRF vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-27817",
    "datePublished": "2025-06-10T07:55:14.422Z",
    "dateReserved": "2025-03-07T08:12:18.582Z",
    "dateUpdated": "2025-06-10T15:15:40.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-1269

CVE-2025-27819 (GCVE-0-2025-27819)

CVE-2025-27818 (GCVE-0-2025-27818)

CVE-2025-27817 (GCVE-0-2025-27817)

Tags

Sightings

Nomenclature