VulnerableCode Package Details - pkg:maven/org.apache.kafka/kafka@3.4.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:maven/org.apache.kafka/kafka@3.4.0

Essentials
History (1)

purl	pkg:maven/org.apache.kafka/kafka@3.4.0

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-ynnz-mx89-2bbu	Apache Kafka Deserialization of Untrusted Data vulnerability In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0	CVE-2025-27819 GHSA-mcwh-c9pg-xw43

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T12:41:32.168826+00:00	GitLab Importer	Fixing	VCID-ynnz-mx89-2bbu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.kafka/kafka/CVE-2025-27819.yml	38.0.0