CVE-2024-42118: Improper Validation in Azure Data Explorer Kafka Connect Plugin Leading to KQL Injection

Vulnerability Overview Title: Improper Handling of User-Controlled Configuration Values Leading to Tampering in Azure Data Explorer Kafka Connect Plugin CVE ID: CVE-2024-42118 CVSS v3 Base Score: 5.9 / 10 Severity: Medium Published: Last month Author: tanmaya-panda1 This vulnerability involves the Kafka Connect plugin ( ) for Azure Data Explorer (Kusto). Due to improper validation of user-controlled configuration values, an attacker can inject malicious KQL query commands, leading to tampering with connector configuration, execution of arbitrary management commands, or modification of data ingestion policies. --- Impact Affected Versions: Fixed Version: Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None Exploitation Conditions: The attacker must have permissions to submit or edit Kafka Connect connector configurations. Arbitrary management commands can be executed by injecting KQL meta-characters (e.g., , , , ). Exploitation scenarios include enabling schema enumeration/modification, ingestion mapping tampering, and altering data ingestion policies. Privileged access to connector configuration is required; no end-user interaction or Kafka message payload involvement is needed. --- Remediation Patch In version , the method was introduced to enforce whitelist regular expressions on all fields receiving KQL commands, causing the connector to fail at startup. Whitelist Regular Expressions: Workaround (For users unable to upgrade to v5.2.3) Ensure originates only from trusted, reviewed sources (treat as code, not data). Restrict who can create or modify Kafka Connect connector configurations. Validate that and fields contain only characters from and . Apply the principle of least privilege to the connector's AAD application/managed identity for the target Kusto database. --- References PR #155: https://github.com/Azure/kafka-sink-azure-kusto/pull/155 Release Notes: https://github.com/Azure/kafka-sink-azure-kusto/releases/tag/v5.2.3 CWE-943: https://cwe.mitre.org/data/definitions/943.html

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-42118: Improper Validation in Azure Data Explorer Kafka Connect Plugin Leading to KQL Injection

More from this source