VulnerableCode Package Details - pkg:maven/org.apache.kafka/kafka_2.8.0@None

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:maven/org.apache.kafka/kafka_2.8.0@None

Essentials
History (1)

purl	pkg:maven/org.apache.kafka/kafka_2.8.0@None
Tags	Ghost

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-ynnz-mx89-2bbu Aliases: CVE-2025-27819 GHSA-mcwh-c9pg-xw43	Apache Kafka Deserialization of Untrusted Data vulnerability In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0	There are no reported fixed by versions.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T12:41:31.933450+00:00	GitLab Importer	Affected by	VCID-ynnz-mx89-2bbu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.kafka/kafka_2.8.0/CVE-2025-27819.yml	38.0.0