CNNVD-202510-392 Information
CNNVD ID
CNNVD-202510-392
Related CVE
- CNNVD Published: 2025-10-03
Description (Chinese)
karapace是Aiven Open开源的一个消息队列工具。 Karapace 5.0.0版本和5.0.1版本存在访问控制错误漏洞,该漏洞源于请求缺少Authorization标头时跳过令牌验证逻辑,可能导致未经验证的用户读取和写入Schema Registry端点。
Description (English)
Karapace is an open-source news Queue tool for Aiven Open. Karapace version 5.0.0 and version 5.0.1 have access control error loopholes, which stem from the fact that the request skips the token validation logic when the Authorization flag is missing and may lead to uncertified users reading and writing to the Schema Registry endpoint.
Hazard Level
Medium
Vulnerability Type
访问控制错误
Affected Vendor
Aiven Open
Published
2025-10-03
Last Modified
2026-02-24
References
https://github.com/Aiven-Open/karapace/pull/1143/commits/c4038e9ce9fa504b433d59ac2944e337292922c7 https://github.com/Aiven-Open/karapace/releases/tag/5.0.2 https://github.com/Aiven-Open/karapace/security/advisories/GHSA-vq25-vcrw-gj53
Patch
https://github.com/Aiven-Open/karapace/releases
Share on: