VDB
GCVE-110-CONFSA-2023-0001
GCVE-110-CONFSA-2023-0001
Advisory Published
Impacted Versions Confluent Platform versions 7.0.0-7.0.8, 7.1.0-7.1.6, 7.2.0-7.2.4, 7.3.0-7.3.2 Recommended Actions Update to one of the patched Confluent Platform versions: 7.0.9, 7.1.7, 7.2.5, 7.3.3 Issue Schema Linking for Confluent Platform keeps schemas in sync across two Schema Registry clusters. A schema exporter is a component that resides in Schema Registry for exporting subjects or contexts (grouping of subjects) from a source Schema Registry cluster to a destination Schema Registry cluster. Prior to the rollout of RBAC for Schema Linking, RBAC based read restrictions for subjects or contexts could be bypassed using the Schema Linking feature. Without RBAC enforcement, Schema links can be misused by lower-privileged users by creating links that export subjects from a source Schema Registry cluster (where that user is restricted from reading schemas) to any destination Schema Registry cluster where the user has permission to read any subject. RBAC based restrictions on write, delete and update APIs for Schema Registry are not affected by this vulnerability. Remediation Upgrade to the patched versions of Confluent Platform versions: 7.0.9, 7.1.7, 7.2.5, 7.3.3. Note : Any schema links created prior to the upgrade will continue to work as before. Please refer to this document for configuring RBAC based access controls that will be enforced for CRUD operations on schema linking exporters for existing and new schema links. Only ClusterAdmin , SystemAdmin and ResourceOwner (only if scope is Subject = * ) roles will be allowed to perform CRUD operations on schema links in patched versions. After upgrading to the recommended versions above, we recommend a thorough configuration review of any existing schema links that were created before RBAC rollout of Schema Links in the patched Confluent Platform versions, in order to ensure that subjects or contexts already being exported to a destination cluster meet your access control requirements. Schema Linking APIs can be used to list existing exporters and their configuration. If you need to delete or change configuration of a schema link created before upgrading to patched Confluent Platform versions, you can use a user with a role allowed to change or delete schema links using Schema Linking APIs . Assign appropriate roles to users and service accounts per your access control requirements for CRUD operations on new Schema Links. CVSS Score 5.5 CVSS v3.1 Calculator https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N&version=3.1
Aliases
Browse GCVE Records
73,734 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.