GHSA-xrhh-hx36-485q

Source

https://github.com/advisories/GHSA-xrhh-hx36-485q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-xrhh-hx36-485q/GHSA-xrhh-hx36-485q.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-xrhh-hx36-485q

Aliases

CVE-2025-66623

Published

2025-12-05T22:02:37Z

Modified

2025-12-05T22:16:06.140508Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands

Details

Impact

In some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The exact scenario when this happens is when: * Apache Kafka Connect is deployed without at least one of the following options configured: * TLS encryption with configured trusted certificates (no .spec.tls.trustedCertificates section in the KafkaConnect CR) * mTLS authentication (no type: tls in .spec.authentication section of the KafkaConnect CR) * TLS encryption with configured trusted certificates for type: oauth authentication (no .spec.authentication.tlsTrustedCertificates section in the KafkaConnect CR) * Apache Kafka MirrorMaker2 is deployed without at least one of the following options configured for the target cluster: * TLS encryption with configured trusted certificates (no .spec.target.tls.trustedCertificates section in the KafkaConnect CR) * mTLS authentication (no type: tls in .spec.target.authentication section of the KafkaConnect CR) * TLS encryption with configured trusted certificates for type: oauth authentication (no .spec.target.authentication.tlsTrustedCertificates section in the KafkaConnect CR) * TLS encryption with configured trusted certificates (no .spec.clusters[].tls.trustedCertificates section in the KafkaConnect CR for the target cluster) * mTLS authentication (no type: tls in .spec.clusters[].authentication section of the KafkaConnect CR for the target cluster) * TLS encryption with configured trusted certificates for type: oauth authentication (no .spec.clusters[].authentication.tlsTrustedCertificates section in the KafkaConnect CR for the target cluster)

When the operands configured as described above are deployed with Strimzi >= 0.47.0 and <= 0.49.0, any code running within their Pods and using their Service Account for authentication will be able to GET any Kubernetes Secret from the same namespace. This can be done by executing 3rd party tools from the Pods. Or directly from the Kafka Connect code, for example, using configuration providers or HTTP connectors. The Pods are allowed to only GET the Secrets. They are not allowed to list, watch, modify, or delete the Secrets.

Patches

The issue is fixed in Strimzi 0.49.1.

Workarounds

There is no workaround for this issue when using the affected operands with the affected configurations.

Database specific

{
    "cwe_ids": [
        "CWE-200",
        "CWE-863"
    ],
    "nvd_published_at": "2025-12-05T19:15:52Z",
    "severity": "HIGH",
    "github_reviewed_at": "2025-12-05T22:02:37Z",
    "github_reviewed": true
}

References

Affected packages

Maven / io.strimzi:strimzi

Package

Name: io.strimzi:strimzi; View open source insights on deps.dev
Purl: pkg:maven/io.strimzi/strimzi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.47.0

Fixed

0.49.1

Affected versions

0.*

0.47.0

0.48.0-RC1

0.48.0

0.49.0-RC1

0.49.0-RC2

0.49.0

0.49.1-RC1