CVE-2025-66623 | THREATINT

Description

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1.

PUBLISHED Reserved 2025-12-05 | Published 2025-12-05 | Updated 2025-12-05 | Assigner GitHub_M

HIGH: 7.4CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-863: Incorrect Authorization

Product status

>= 0.47.0, < 0.49.1

affected

References

github.com/...erator/security/advisories/GHSA-xrhh-hx36-485q

github.com/...ommit/c8a14935e99c91eb0dd865431f46515da9f82ccc

cve.org (CVE-2025-66623)

nvd.nist.gov (CVE-2025-66623)