Bitnami package
kafka
pkg:bitnami/kafka
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41115 | Med | 4.3 | >= 4.0.0, < 4.3.1 | 4.3.1 | Jun 2, 2026 | An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and th | |
| CVE-2026-33558 | Med | 5.3 | >= 0.11.0, < 3.9.2 | 3.9.2 | Apr 20, 2026 | Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit | |
| CVE-2026-33557 | Cri | 9.1 | >= 4.1.0, < 4.1.2 | 4.1.2 | Apr 20, 2026 | A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, | |
| CVE-2025-27817 | — | >= 3.1.0, < 3.9.1 | 3.9.1 | Jun 10, 2025 | A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk | ||
| CVE-2025-27819 | — | >= 2.0.0, < 3.4.1 | 3.4.1 | Jun 10, 2025 | In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, th | ||
| CVE-2025-27818 | — | >= 2.3.0, < 3.9.1 | 3.9.1 | Jun 10, 2025 | A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based securi | ||
| CVE-2024-56128 | — | >= 3.8.0, < 3.8.1 | 3.8.1 | Dec 18, 2024 | Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as | ||
| CVE-2024-27309 | — | >= 3.5.0, < 3.5.2 | 3.5.2 | Apr 12, 2024 | While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL co | ||
| CVE-2022-34917 | — | >= 2.8.0, < 2.8.2 | 2.8.2 | Sep 20, 2022 | A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial o | ||
| CVE-2021-38153 | — | >= 2.0.0, < 2.6.3 | 2.6.3 | Sep 22, 2021 | Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera | ||
| CVE-2020-27218 | — | >= 2.7.0, < 2.7.1 | 2.7.1 | Nov 28, 2020 | In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request |
- affected >= 4.0.0, < 4.3.1fixed 4.3.1
An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and th
- affected >= 0.11.0, < 3.9.2fixed 3.9.2
Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit
- affected >= 4.1.0, < 4.1.2fixed 4.1.2
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature,
- CVE-2025-27817Jun 10, 2025affected >= 3.1.0, < 3.9.1fixed 3.9.1
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk
- CVE-2025-27819Jun 10, 2025affected >= 2.0.0, < 3.4.1fixed 3.4.1
In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, th
- CVE-2025-27818Jun 10, 2025affected >= 2.3.0, < 3.9.1fixed 3.9.1
A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based securi
- CVE-2024-56128Dec 18, 2024affected >= 3.8.0, < 3.8.1fixed 3.8.1
Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as
- CVE-2024-27309Apr 12, 2024affected >= 3.5.0, < 3.5.2fixed 3.5.2
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL co
- CVE-2022-34917Sep 20, 2022affected >= 2.8.0, < 2.8.2fixed 2.8.2
A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial o
- CVE-2021-38153Sep 22, 2021affected >= 2.0.0, < 2.6.3fixed 2.6.3
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera
- CVE-2020-27218Nov 28, 2020affected >= 2.7.0, < 2.7.1fixed 2.7.1
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request