漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Arbitrary File Read in Google BigQuery Sink connector
Vulnerability Description
Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted credential_source.file paths or credential_source.url endpoints, resulting in arbitrary file reads or SSRF attacks.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
文件名或路径的外部可控制
Vulnerability Title
Kafka Connect BigQuery Connector 代码问题漏洞
Vulnerability Description
Kafka Connect BigQuery Connector是Aiven Open开源的一个高性能数据同步中间件。 Kafka Connect BigQuery Connector 2.11.0之前版本存在代码问题漏洞,该漏洞源于服务在将外部来源的凭据配置传递给身份验证库之前未对其进行验证,可能导致任意文件读取或服务端请求伪造攻击。
CVSS Information
N/A
Vulnerability Type
N/A