Medium severity5.9NVD Advisory· Published Nov 17, 2024· Updated Apr 15, 2026
CVE-2023-1419
CVE-2023-1419
Description
A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.debezium:debezium-connector-mysqlMaven | < 2.3.0.Alpha1 | 2.3.0.Alpha1 |
io.debezium:debezium-connector-sqlserverMaven | < 2.3.0.Alpha1 | 2.3.0.Alpha1 |
io.debezium:debezium-coreMaven | < 2.3.0.Alpha1 | 2.3.0.Alpha1 |
Patches
158ef4f0b9842DBZ-6157 Disable potentially dangerous MySQL JDBC props
4 files changed · +45 −0
debezium-connector-mysql/src/main/java/io/debezium/connector/mysql/MySqlConnection.java+7 −0 modified@@ -524,6 +524,13 @@ public MySqlConnectionConfiguration(Configuration config) { jdbcConfigBuilder.with(JDBC_PROPERTY_CONNECTION_TIME_ZONE, determineConnectionTimeZone(dbConfig)); + // Set and remove options to prevent potential vulnerabilities + jdbcConfigBuilder + .with("allowLoadLocalInfile", "false") + .with("allowUrlInLocalInfile", "false") + .with("autoDeserialize", false) + .without("queryInterceptors"); + this.jdbcConfig = JdbcConfiguration.adapt(jdbcConfigBuilder.build()); String driverClassName = this.jdbcConfig.getString(MySqlConnectorConfig.JDBC_DRIVER); factory = JdbcConnection.patternBasedFactory(MySqlConnection.URL_PATTERN, driverClassName, getClass().getClassLoader());
debezium-connector-sqlserver/src/main/java/io/debezium/connector/sqlserver/SqlServerJdbcConfiguration.java+12 −0 modified@@ -97,6 +97,12 @@ public Builder withDefault(String key, String value) { return this; } + @Override + public Builder without(String key) { + builder.without(key); + return this; + } + @Override public Builder apply(Consumer<SqlServerJdbcConfiguration.Builder> function) { function.accept(this); @@ -148,6 +154,12 @@ public Builder withDefault(String key, String value) { return this; } + @Override + public Builder without(String key) { + builder.without(key); + return this; + } + @Override public Builder apply(Consumer<SqlServerJdbcConfiguration.Builder> function) { function.accept(this);
debezium-core/src/main/java/io/debezium/config/Configuration.java+14 −0 modified@@ -475,6 +475,14 @@ default B withDefault(Field field, Class<?> value) { return withDefault(field.name(), value != null ? value.getName() : null); } + /** + * Remove the value associated with the specified key. + * + * @param key the key + * @return this builder object so methods can be chained together; never null + */ + B without(String key); + /** * Apply the function to this builder. * @@ -691,6 +699,12 @@ public Builder withDefault(String key, String value) { return this; } + @Override + public Builder without(String key) { + props.remove(key); + return this; + } + @Override public Builder apply(Consumer<Builder> function) { function.accept(this);
debezium-core/src/main/java/io/debezium/jdbc/JdbcConfiguration.java+12 −0 modified@@ -213,6 +213,12 @@ public Builder withDefault(String key, String value) { return this; } + @Override + public Builder without(String key) { + builder.without(key); + return this; + } + @Override public Builder apply(Consumer<Builder> function) { function.accept(this); @@ -264,6 +270,12 @@ public Builder withDefault(String key, String value) { return this; } + @Override + public Builder without(String key) { + builder.without(key); + return this; + } + @Override public Builder apply(Consumer<Builder> function) { function.accept(this);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.