Debezium Database Connector Script Injection Vulnerability
CVE-2023-1419 Published on November 17, 2024

Debezium: script injection via connector parameter
A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.

NVD

Vulnerability Analysis

CVE-2023-1419 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 477 days later.

Weakness Type

Improper Handling of Parameters

The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.


Affected Versions

Red Hat build of Debezium: Red Hat Integration Change Data Capture:

Exploit Probability

EPSS
0.17%
Percentile
38.01%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.