Sensitive Configuration Exposure in Apache Pulsar's Integration with Apache Kafka
CVE-2025-30677

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Pulsar Io Kafka Connector; Apache Pulsar Io Kafka Connect Adaptor
Vendor: CVE Published:; 9 April 2025

Summary

Apache Pulsar IO's integration with Apache Kafka contains a vulnerability where sensitive configuration properties are logged in plain text in application logs. This can lead to potential credential leakage, especially for Apache Kafka. Attackers with access to these logs could exploit this issue to acquire sensitive credentials. It is essential for users of Apache Pulsar to upgrade to the patched versions (3.0.11, 3.3.6, and 4.0.4 or newer) to protect against this vulnerability. Failure to do so increases the risk of unauthorized access and data breaches.

Affected Version(s)

Apache Pulsar IO Kafka Connect Adaptor 2.3.0 < 3.0.11

Apache Pulsar IO Kafka Connect Adaptor 3.1.0 < 3.3.6

Apache Pulsar IO Kafka Connect Adaptor 4.0.0 < 4.0.4

References

https://pulsar.apache.org/security/

https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40s...

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 9, 2025
Vulnerability Reserved
Mar 25, 2025

Credit

Kyler Katz