Audrey Budryte

**Name of the Vulnerable Software and Affected Versions** Klaw versions prior to 2.10.2 **Description** Klaw, a self-service Apache Kafka Topic Management/Governance tool/portal, contains an improper access control issue. This allows unauthorized users to trigger a reset or deletion of metadata for any tenant. An attacker can send a crafted request to the `/resetMemoryCache` API endpoint to clear cached configurations, environments, and cluster data. The `resetMemoryCache` function is vulnerable to this manipulation. **Recommendations** Update to version 2.10.2 or later.

**Name of the Vulnerable Software and Affected Versions** Kafka Connect BigQuery Connector versions prior to 2.11.0 **Description** The Kafka Connect BigQuery Connector, a sink connector from Apache Kafka to Google BigQuery, contains a flaw that could allow arbitrary file reads. This occurs because the service does not validate externally-sourced credential configurations before passing them to authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted `credential source.file` paths or `credential source.url` endpoints, potentially leading to arbitrary file reads or Server-Side Request Forgery (SSRF) attacks. The connector requires Google Cloud credential configurations for authentication to BigQuery services. **Recommendations** Upgrade to version 2.11.0 or later.

**Name of the Vulnerable Software and Affected Versions** Express OpenID Connect versions 2.3.0 through 2.5.1 **Description** The issue arises from the failure to regenerate the session id and session cookie when a user logs in, making the application susceptible to session fixation vulnerabilities. This behavior affects versions prior to the patch release. **Recommendations** For versions 2.3.0 through 2.5.1, upgrade to version 2.5.2 or later to resolve the issue.