Karapace: Path Traversal in Backup Reader

Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader (backup/backends/v3/backend.py). If a malicious backup file is provided to Karapace, an attacker may exploit insufficient path validation to perform arbitrary file read on the system where Karapace is running. The issue affects deployments that use the backup/restore functionality and process backups from untrusted sources. The impact depends on the file system permissions of the Karapace process. This issue has been patched in version 6.0.0.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

对路径名的限制不恰当(路径遍历)

karapace 路径遍历漏洞

karapace是Aiven Open开源的一个消息队列工具。 Karapace 6.0.0之前版本存在路径遍历漏洞，该漏洞源于备份读取器存在路径遍历问题，可能导致任意文件读取。

N/A

N/A