Azure Data Explorer Kafka Connect Plugin KQL Injection Vulnerability

A tampering vulnerability has been identified in the `kafka-sink-azure-kusto` Kafka Connect plugin, which is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to version 5.2.3, the plugin failed to properly sanitize user-controlled values in the `kusto.tables.topics.mapping` configuration. This oversight allowed an actor with access to the connector configuration to inject KQL metacharacters into management/query commands, potentially leading to unauthorized schema modifications, ingestion-mapping alterations, or changes in streaming and retention policies on the targeted Azure Data Explorer database.

Impact

Exploitation of this vulnerability could allow an attacker to execute arbitrary KQL management commands, such as enumerating or modifying database schemas, tampering with ingestion mappings, or altering streaming and retention policies, all within the context of the connector's service principal.

Remediation

Users can upgrade to version 5.2.3, which addresses the vulnerability by sanitizing the `kusto.tables.topics.mapping` configuration values. For those unable to upgrade, it is recommended to validate the mapping entries for KQL injection risks, restrict permissions for modifying Kafka Connect connector configurations, and scope the connector's Azure Active Directory application or managed identity to the least privilege on the target Kusto database.