confluent-kafka is vulnerable to Improper Certificate Validation
45
Medium Risk
The HashiCorp Vault KMS driver used by Schema Registry Client-Side Field Level Encryption builds its hvac.Client with TLS certificate verification disabled. The HcVaultKmsClient hard-coded verify=False, so connections to Vault never validated the server certificate, and a later _get_verify change still treated an empty ssl.ca.location / VAULT_CACERT value as verification off. A network attacker able to intercept traffic to Vault could impersonate the server, capture the Vault token, and read or tamper with wrapped key-encryption-key material. The fix wires a computed verify (defaulting to True) and optional client cert into hvac.Client and treats empty CA values as unconfigured.
You are affected if you are using a version that falls within the vulnerable range and use the HashiCorp Vault KMS driver for Schema Registry encryption (CSFLE) rules.
confluent-kafka is vulnerable to Improper Certificate Validation in versions 2.6.2 - 2.14.2.
Upgrade the confluent-kafka library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant