https://kafka.apache.org/cve-list APACHE KAFKA SECURITY VULNERABILITIES incorrectly lists fixed versions 2.0.2 and 2.1.2, but those don't exist (e.g. in https://archive.apache.org/dist/kafka/). I'm not qualified to modify anything -- just letting you know in case someone can fix it.
--Franklin