SCA: security update for org.apache.kafka:kafka_2.12, org.apache.kafka:kafka_2.13 (GHSA-mcwh-c9pg-xw43)

high Tenable Cloud Security Plugin ID 436362

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule
configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the
Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be
able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since
Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to
disable the problematic login modules usage in SASL JAAS configuration. Also by default
"com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and
"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by
default in in Apache Kafka 3.9.1/4.0.0 (CVE-2025-27819)

See Also

https://github.com/advisories/GHSA-mcwh-c9pg-xw43

Plugin Details

Severity: High

ID: 436362

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 12/12/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-27819

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/10/2025

Vulnerability Publication Date: 6/10/2025

Reference Information

CVE: CVE-2025-27819

cwe: CWE-502