CVE-2025-30677

MEDIUM EPSS 43.0%
Published Apr 9, 20251y ago · Modified Jun 17, 20262w ago
6.3 CVSS 4.0
Medium
Find Similar
Published Apr 9, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs. This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue. This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4. 3.0.x version users should upgrade to at least 3.0.11. 3.3.x version users should upgrade to at least 3.3.6. 4.0.x version users should upgrade to at least 4.0.4. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
43.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-532

Affected Products 3

VendorProductVersionRange
apachepulsar*≥2.3.0  –  <3.0.11
apachepulsar*≥3.3.0  –  <3.3.6
apachepulsar*≥4.0.0  –  <4.0.4

References 3

  • openwall.com http://www.openwall.com/lists/oss-security/2025/04/09/2
    Mailing ListThird Party Advisory
  • lists.apache.org https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d
    Mailing ListVendor Advisory
  • pulsar.apache.org https://pulsar.apache.org/security/
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.