CVE-2026-23529 (CNNVD-202601-2768)
中文标题:
Kafka Connect BigQuery Connector 代码问题漏洞
英文标题:
Arbitrary File Read in Google BigQuery Sink connector
漏洞描述
中文描述:
Kafka Connect BigQuery Connector是Aiven Open开源的一个高性能数据同步中间件。 Kafka Connect BigQuery Connector 2.11.0之前版本存在代码问题漏洞,该漏洞源于服务在将外部来源的凭据配置传递给身份验证库之前未对其进行验证,可能导致任意文件读取或服务端请求伪造攻击。
英文描述:
Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted credential_source.file paths or credential_source.url endpoints, resulting in arbitrary file reads or SSRF attacks.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Aiven-Open | bigquery-connector-for-apache-kafka | < 2.11.0 | - | - |
cpe:2.3:a:aiven-open:bigquery-connector-for-apache-kafka:<_2.11.0:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
cve.org
cve.org
cve.org
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2026-23529 |
2026-01-17 02:19:59 | 2026-01-17 06:00:11 |
| NVD | nvd_CVE-2026-23529 |
2026-01-17 03:00:05 | 2026-01-17 06:00:16 |
| CNNVD | cnnvd_CNNVD-202601-2768 |
2026-01-26 02:10:01 | 2026-01-25 18:11:49 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 代码问题
- cnnvd_id: 未提取 -> CNNVD-202601-2768
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']