VYPR

Bitnami package

kafka

pkg:bitnami/kafka

Vulnerabilities (11)

  • CVE-2026-41115MedJun 2, 2026
    affected >= 4.0.0, < 4.3.1fixed 4.3.1

    An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and th

  • CVE-2026-33558MedApr 20, 2026
    affected >= 0.11.0, < 3.9.2fixed 3.9.2

    Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit

  • CVE-2026-33557CriApr 20, 2026
    affected >= 4.1.0, < 4.1.2fixed 4.1.2

    A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature,

  • CVE-2025-27817Jun 10, 2025
    affected >= 3.1.0, < 3.9.1fixed 3.9.1

    A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk

  • CVE-2025-27819Jun 10, 2025
    affected >= 2.0.0, < 3.4.1fixed 3.4.1

    In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, th

  • CVE-2025-27818Jun 10, 2025
    affected >= 2.3.0, < 3.9.1fixed 3.9.1

    A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based securi

  • CVE-2024-56128Dec 18, 2024
    affected >= 3.8.0, < 3.8.1fixed 3.8.1

    Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as

  • CVE-2024-27309Apr 12, 2024
    affected >= 3.5.0, < 3.5.2fixed 3.5.2

    While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL co

  • CVE-2022-34917Sep 20, 2022
    affected >= 2.8.0, < 2.8.2fixed 2.8.2

    A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial o

  • CVE-2021-38153Sep 22, 2021
    affected >= 2.0.0, < 2.6.3fixed 2.6.3

    Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera

  • CVE-2020-27218Nov 28, 2020
    affected >= 2.7.0, < 2.7.1fixed 2.7.1

    In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request