CVE-2025-30677

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-30677
Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs. This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue. This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4. 3.0.x version users should upgrade to at least 3.0.11. 3.3.x version users should upgrade to at least 3.3.6. 4.0.x version users should upgrade to at least 4.0.4. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d Mailing List Vendor Advisory
https://pulsar.apache.org/security/ Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/09/2 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
History

15 Jul 2025, 19:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
References () https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d - () https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d - Mailing List, Vendor Advisory
References () https://pulsar.apache.org/security/ - () https://pulsar.apache.org/security/ - Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2025/04/09/2 - () http://www.openwall.com/lists/oss-security/2025/04/09/2 - Mailing List, Third Party Advisory
CPE cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
First Time Apache
Apache pulsar
Summary
  • (es) Apache Pulsar contiene múltiples conectores para la integración con Apache Kafka. Los conectores de origen, receptor y receptor del adaptador Kafka Connect de Pulsar IO registran propiedades de configuración sensibles en texto plano en los registros de la aplicación. Esta vulnerabilidad puede provocar la exposición involuntaria de credenciales en los archivos de registro, lo que podría permitir a atacantes con acceso a estos registros obtener credenciales de Apache Kafka. El impacto de la vulnerabilidad es limitado debido a que un atacante necesitaría acceder a los registros de la aplicación para explotar este problema. Este problema afecta a los conectores de Apache Kafka de Apache Pulsar IO en todas las versiones anteriores a la 3.0.11, 3.3.6 y 4.0.4. Los usuarios de la versión 3.0.x deben actualizar al menos a la 3.0.11. Los usuarios de la versión 3.3.x deben actualizar al menos a la 3.3.6. Los usuarios de la versión 4.0.x deben actualizar al menos a la 4.0.4. Los usuarios de versiones anteriores a las mencionadas anteriormente deben actualizar a las versiones parcheadas mencionadas o a versiones más recientes.

09 Apr 2025, 16:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/04/09/2 -

09 Apr 2025, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-09 12:15

Updated : 2025-07-15 19:15

NVD link : CVE-2025-30677

Mitre link : CVE-2025-30677

CVE.ORG link : CVE-2025-30677

JSON object : View

Products Affected

apache

  • pulsar
CWE
CWE-532

Insertion of Sensitive Information into Log File