3Th1Cyuk1

**Name of the Vulnerable Software and Affected Versions** Karapace versions prior to 6.0.0 **Description** Karapace is an implementation of Kafka REST and Schema Registry. A path traversal flaw exists in the backup reader (backup/backends/v3/backend.py) in versions before 6.0.0. An attacker providing a malicious backup file may exploit inadequate path validation to read arbitrary files on the system running Karapace. This impacts deployments utilizing the backup/restore functionality with backups from untrusted sources. The extent of the impact is determined by the file system permissions of the Karapace process. **Recommendations** Update to version 6.0.0 or later.