Aiven Google BigQuery Kafka Connect Sink Connector Arbitrary File Read Vulnerability

An arbitrary file read vulnerability has been identified in Aiven's Google BigQuery Kafka Connect Sink connector, prior to version 2.11.0. The vulnerability arises because the connector does not validate externally-sourced Google Cloud credential configurations before they are processed by Google authentication libraries. This lack of validation allows an attacker to supply a malicious credential configuration with crafted file paths or URL endpoints, leading to unauthorized file reads or Server-Side Request Forgery (SSRF) attacks.

Impact

Exploitation of this vulnerability could result in unrestricted read access to the file system. Additionally, in a standalone Kafka Connect instance, the service keys could be used to impersonate the Kafka broker.

Reproduction

To reproduce this vulnerability, upload a credential JSON file containing malicious paths or URLs as the 'credential_source.file' or 'credential_source.url' endpoints. The connector will process these credentials without validation, allowing for arbitrary file reads or SSRF attacks.

Remediation

Users are advised to upgrade to version 2.11.0 or later.