Vulnerabilites related to apache - pulsar
cve-2022-33682
Vulnerability from cvelistv5
Published
2022-09-23 09:25
Modified
2024-08-03 08:09
Severity ?
EPSS score ?
Summary
TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.10.0 Version: 2.7 < Version: 2.8 < Version: 2.9 < Version: 2.6 and earlier < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T08:09:22.270Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "2.10.0", }, { lessThanOrEqual: "2.7.4", status: "affected", version: "2.7", versionType: "custom", }, { lessThanOrEqual: "2.8.3", status: "affected", version: "2.8", versionType: "custom", }, { lessThanOrEqual: "2.9.2", status: "affected", version: "2.9", versionType: "custom", }, { lessThanOrEqual: "2.6.4", status: "affected", version: "2.6 and earlier", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "This issue was discovered by Michael Marshall of DataStax.", }, ], descriptions: [ { lang: "en", value: "TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.", }, ], metrics: [ { other: { content: { other: "high", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "CWE-295 Improper Certificate Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-23T09:25:14", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx", }, ], source: { discovery: "UNKNOWN", }, title: "Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack", workarounds: [ { lang: "en", value: "Any users running affected versions of the Pulsar Broker, Pulsar Proxy, or Pulsar WebSocket Proxy should rotate static authentication data vulnerable to man in the middle attacks used by these applications, including tokens and passwords. \n\nTo enable hostname verification, update the following configuration files.\n\nIn the Broker configuration (broker.conf, by default) and in the WebSocket Proxy configuration (websocket.conf, by default), set:\n\nbrokerClient_tlsHostnameVerificationEnable=true\n\nIn Pulsar Helm chart deployments, the Broker and WebSocket Proxy setting name should be prefixed with \"PULSAR_PREFIX_\".\n\nIn the Proxy configuration (proxy.conf, by default), set:\n\ntlsHostnameVerificationEnabled=true\n\n2.7 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.7.5, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\n2.8 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.8.4, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\n2.9 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.9.3, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\n2.10 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.10.1, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\nAny users running Pulsar Brokers, Proxies, and WebSocket Proxies for 2.6.4 and earlier should upgrade to one of the above patched versions, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.", }, ], x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2022-33682", STATE: "PUBLIC", TITLE: "Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Pulsar", version: { version_data: [ { version_affected: "<=", version_name: "2.7", version_value: "2.7.4", }, { version_affected: "<=", version_name: "2.8", version_value: "2.8.3", }, { version_affected: "<=", version_name: "2.9", version_value: "2.9.2", }, { version_affected: "=", version_name: "2.10", version_value: "2.10.0", }, { version_affected: "<=", version_name: "2.6 and earlier", version_value: "2.6.4", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "This issue was discovered by Michael Marshall of DataStax.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ { other: "high", }, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-295 Improper Certificate Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx", refsource: "MISC", url: "https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx", }, ], }, source: { discovery: "UNKNOWN", }, work_around: [ { lang: "en", value: "Any users running affected versions of the Pulsar Broker, Pulsar Proxy, or Pulsar WebSocket Proxy should rotate static authentication data vulnerable to man in the middle attacks used by these applications, including tokens and passwords. \n\nTo enable hostname verification, update the following configuration files.\n\nIn the Broker configuration (broker.conf, by default) and in the WebSocket Proxy configuration (websocket.conf, by default), set:\n\nbrokerClient_tlsHostnameVerificationEnable=true\n\nIn Pulsar Helm chart deployments, the Broker and WebSocket Proxy setting name should be prefixed with \"PULSAR_PREFIX_\".\n\nIn the Proxy configuration (proxy.conf, by default), set:\n\ntlsHostnameVerificationEnabled=true\n\n2.7 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.7.5, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\n2.8 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.8.4, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\n2.9 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.9.3, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\n2.10 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.10.1, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\nAny users running Pulsar Brokers, Proxies, and WebSocket Proxies for 2.6.4 and earlier should upgrade to one of the above patched versions, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.", }, ], }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-33682", datePublished: "2022-09-23T09:25:14", dateReserved: "2022-06-15T00:00:00", dateUpdated: "2024-08-03T08:09:22.270Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41571
Vulnerability from cvelistv5
Published
2022-02-01 12:40
Modified
2024-08-04 03:15
Severity ?
EPSS score ?
Summary
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId | x_refsource_MISC | |
| https://github.com/apache/pulsar/issues/11814 | x_refsource_MISC | |
| https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: Apache Pulsar < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:15:29.204Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/apache/pulsar/issues/11814", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "2.8.0", status: "affected", version: "Apache Pulsar", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.", }, ], metrics: [ { other: { content: { other: "moderate", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-18T11:52:20.375Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/apache/pulsar/issues/11814", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr", }, ], source: { defect: [ "https://github.com/apache/pulsar/issues/11814", ], discovery: "UNKNOWN", }, title: "Pulsar Admin API allows access to data from other tenants using getMessageById API", workarounds: [ { lang: "en", value: "If you are running Pulsar behind a proxy you can disable access to the REST API for the flawed API \n\n/admin/v2/non-persistent/{tenant}/{namespace}/{topic}/ledger/{ledgerId}/entry/{entryId}", }, ], x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-41571", STATE: "PUBLIC", TITLE: "Pulsar Admin API allows access to data from other tenants using getMessageById API", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Pulsar", version: { version_data: [ { version_affected: "<=", version_name: "Apache Pulsar", version_value: "2.8.0", }, { version_affected: "<=", version_name: "Apache Pulsar", version_value: "2.7.3 +1", }, { version_affected: "<=", version_name: "Apache Pulsar", version_value: "2.6.4 +1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ { other: "moderate", }, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-863 Incorrect Authorization", }, ], }, ], }, references: { reference_data: [ { name: "https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId", refsource: "MISC", url: "https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId", }, { name: "https://github.com/apache/pulsar/issues/11814", refsource: "MISC", url: "https://github.com/apache/pulsar/issues/11814", }, { name: "https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr", refsource: "MISC", url: "https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr", }, ], }, source: { defect: [ "https://github.com/apache/pulsar/issues/11814", ], discovery: "UNKNOWN", }, work_around: [ { lang: "en", value: "If you are running Pulsar behind a proxy you can disable access to the REST API for the flawed API \n\n/admin/v2/non-persistent/{tenant}/{namespace}/{topic}/ledger/{ledgerId}/entry/{entryId}", }, ], }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-41571", datePublished: "2022-02-01T12:40:53", dateReserved: "2021-09-23T00:00:00", dateUpdated: "2024-08-04T03:15:29.204Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28098
Vulnerability from cvelistv5
Published
2024-03-12 18:15
Modified
2025-02-13 17:47
Severity ?
EPSS score ?
Summary
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Apache Pulsar users should upgrade to at least 2.10.6.
2.11 Apache Pulsar users should upgrade to at least 2.11.4.
3.0 Apache Pulsar users should upgrade to at least 3.0.3.
3.1 Apache Pulsar users should upgrade to at least 3.1.3.
3.2 Apache Pulsar users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.7.1 ≤ Version: 2.11.0 ≤ Version: 3.0.0 ≤ Version: 3.1.0 ≤ Version: 3.2.0 ≤ |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-28098", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-03-13T18:37:12.167881Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T18:03:35.775Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T00:48:48.936Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://pulsar.apache.org/security/CVE-2024-28098/", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/12", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThan: "2.10.6", status: "affected", version: "2.7.1", versionType: "semver", }, { lessThan: "2.11.4", status: "affected", version: "2.11.0", versionType: "semver", }, { lessThan: "3.0.3", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThan: "3.1.3", status: "affected", version: "3.1.0", versionType: "semver", }, { lessThan: "3.2.1", status: "affected", version: "3.2.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.<br><br>This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. <br><br>2.10 Apache Pulsar users should upgrade to at least 2.10.6.<br>2.11 Apache Pulsar users should upgrade to at least 2.11.4.<br>3.0 Apache Pulsar users should upgrade to at least 3.0.3.<br>3.1 Apache Pulsar users should upgrade to at least 3.1.3.<br>3.2 Apache Pulsar users should upgrade to at least 3.2.1.<br><br>Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.<br>", }, ], value: "The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Apache Pulsar users should upgrade to at least 2.10.6.\n2.11 Apache Pulsar users should upgrade to at least 2.11.4.\n3.0 Apache Pulsar users should upgrade to at least 3.0.3.\n3.1 Apache Pulsar users should upgrade to at least 3.1.3.\n3.2 Apache Pulsar users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T17:06:43.771Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "mailing-list", ], url: "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z", }, { tags: [ "vendor-advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-28098/", }, { url: "http://www.openwall.com/lists/oss-security/2024/03/12/12", }, ], source: { discovery: "INTERNAL", }, title: "Apache Pulsar: Improper Authorization For Topic-Level Policy Management", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-28098", datePublished: "2024-03-12T18:15:39.848Z", dateReserved: "2024-03-04T08:43:49.387Z", dateUpdated: "2025-02-13T17:47:15.300Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-33681
Vulnerability from cvelistv5
Published
2022-09-23 09:25
Modified
2024-08-03 08:09
Severity ?
EPSS score ?
Summary
Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.10.0 Version: 2.7 < Version: 2.8 < Version: 2.9 < Version: 2.6 and earlier < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T08:09:22.286Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "2.10.0", }, { lessThanOrEqual: "2.7.4", status: "affected", version: "2.7", versionType: "custom", }, { lessThanOrEqual: "2.8.3", status: "affected", version: "2.8", versionType: "custom", }, { lessThanOrEqual: "2.9.2", status: "affected", version: "2.9", versionType: "custom", }, { lessThanOrEqual: "2.6.4", status: "affected", version: "2.6 and earlier", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "This issue was discovered by Michael Marshall of DataStax.", }, ], descriptions: [ { lang: "en", value: "Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.", }, ], metrics: [ { other: { content: { other: "high", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "CWE-295 Improper Certificate Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-23T09:25:13", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d", }, ], source: { discovery: "UNKNOWN", }, title: "Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM", workarounds: [ { lang: "en", value: "Any users running affected versions of the Java Client should rotate vulnerable authentication data, including tokens and passwords.\n\n2.7 Pulsar Java Client users should upgrade to 2.7.5, and rotate vulnerable authentication data, including tokens and passwords.\n2.8 Pulsar Java Client users should upgrade to 2.8.4, and rotate vulnerable authentication data, including tokens and passwords.\n2.9 Pulsar Java Client users should upgrade to 2.9.3, and rotate vulnerable authentication data, including tokens and passwords.\n2.10 Pulsar Java Client users should upgrade to 2.10.1, and rotate vulnerable authentication data, including tokens and passwords.\nAny users running the Pulsar Java Client for 2.6.4 and earlier should upgrade to one of the above patched versions, and rotate vulnerable authentication data, including tokens and passwords.", }, ], x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2022-33681", STATE: "PUBLIC", TITLE: "Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Pulsar", version: { version_data: [ { version_affected: "<=", version_name: "2.7", version_value: "2.7.4", }, { version_affected: "<=", version_name: "2.8", version_value: "2.8.3", }, { version_affected: "<=", version_name: "2.9", version_value: "2.9.2", }, { version_affected: "=", version_name: "2.10", version_value: "2.10.0", }, { version_affected: "<=", version_name: "2.6 and earlier", version_value: "2.6.4", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "This issue was discovered by Michael Marshall of DataStax.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ { other: "high", }, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-295 Improper Certificate Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d", refsource: "MISC", url: "https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d", }, ], }, source: { discovery: "UNKNOWN", }, work_around: [ { lang: "en", value: "Any users running affected versions of the Java Client should rotate vulnerable authentication data, including tokens and passwords.\n\n2.7 Pulsar Java Client users should upgrade to 2.7.5, and rotate vulnerable authentication data, including tokens and passwords.\n2.8 Pulsar Java Client users should upgrade to 2.8.4, and rotate vulnerable authentication data, including tokens and passwords.\n2.9 Pulsar Java Client users should upgrade to 2.9.3, and rotate vulnerable authentication data, including tokens and passwords.\n2.10 Pulsar Java Client users should upgrade to 2.10.1, and rotate vulnerable authentication data, including tokens and passwords.\nAny users running the Pulsar Java Client for 2.6.4 and earlier should upgrade to one of the above patched versions, and rotate vulnerable authentication data, including tokens and passwords.", }, ], }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-33681", datePublished: "2022-09-23T09:25:13", dateReserved: "2022-06-15T00:00:00", dateUpdated: "2024-08-03T08:09:22.286Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-27894
Vulnerability from cvelistv5
Published
2024-03-12 18:19
Modified
2025-02-13 17:47
Severity ?
EPSS score ?
Summary
The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.
This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and "additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.4.0 ≤ Version: 2.11.0 ≤ Version: 3.0.0 ≤ Version: 3.1.0 ≤ Version: 3.2.0 ≤ |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-27894", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-03-13T16:05:51.769657Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:47:12.905Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T00:41:55.869Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://pulsar.apache.org/security/CVE-2024-27894/", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/11", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThan: "2.10.6", status: "affected", version: "2.4.0", versionType: "semver", }, { lessThan: "2.11.4", status: "affected", version: "2.11.0", versionType: "semver", }, { lessThan: "3.0.3", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThan: "3.1.3", status: "affected", version: "3.1.0", versionType: "semver", }, { lessThan: "3.2.1", status: "affected", version: "3.2.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Lari Hotari of StreamNative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.<br>This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".<br><br>This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. <br><br>2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br>2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br>3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br>3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br>3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br><br>Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.<br><br>The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.", }, ], value: "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\nThis vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\n\nThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-552", description: "CWE-552 Files or Directories Accessible to External Parties", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T17:09:31.832Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "mailing-list", ], url: "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p", }, { tags: [ "vendor-advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-27894/", }, { url: "http://www.openwall.com/lists/oss-security/2024/03/12/11", }, ], source: { discovery: "INTERNAL", }, title: "Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-27894", datePublished: "2024-03-12T18:19:41.084Z", dateReserved: "2024-02-26T21:19:23.344Z", dateUpdated: "2025-02-13T17:47:12.314Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-30428
Vulnerability from cvelistv5
Published
2023-07-12 09:10
Modified
2024-10-04 13:43
Severity ?
EPSS score ?
Summary
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role.
This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10.0 before 2.10.4, 2.11.0.
The vulnerability is exploitable when an attacker can connect directly to the Pulsar Broker. If an attacker is connecting through the Pulsar Proxy, there is no known way to exploit this authorization vulnerability.
There are two known risks for affected users. First, an attacker could produce garbage messages to any topic in the cluster. Second, an attacker could produce messages to the topic level policies topic for other tenants and influence topic settings that could lead to exfiltration and/or deletion of messages for other tenants.
2.8 Pulsar Broker users and earlier are unaffected.
2.9 Pulsar Broker users should upgrade to one of the patched versions.
2.10 Pulsar Broker users should upgrade to at least 2.10.4.
2.11 Pulsar Broker users should upgrade to at least 2.11.1.
3.0 Pulsar Broker users are unaffected.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar Broker |
Version: 2.9.0 ≤ 2.9.5 Version: 2.10.0 ≤ Version: 2.11.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:21:44.816Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { lessThanOrEqual: "2.9.5", status: "affected", version: "2.9.0", versionType: "custom", }, { lessThanOrEqual: "2.10.4", status: "affected", version: "2.10.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { status: "affected", version: "2.11.0", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-30428", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-04T13:37:10.667539Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-04T13:43:04.819Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar Broker", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "2.9.5", status: "affected", version: "2.9.0", versionType: "semver", }, { lessThan: "2.10.4", status: "affected", version: "2.10.0", versionType: "semver", }, { status: "affected", version: "2.11.0", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Michael Marshall of DataStax", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role.<br>This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10.0 before 2.10.4, 2.11.0.<br><br>The vulnerability is exploitable when an attacker can connect directly to the Pulsar Broker. If an attacker is connecting through the Pulsar Proxy, there is no known way to exploit this authorization vulnerability.<br><br>There are two known risks for affected users. First, an attacker could produce garbage messages to any topic in the cluster. Second, an attacker could produce messages to the topic level policies topic for other tenants and influence topic settings that could lead to exfiltration and/or deletion of messages for other tenants.<br><br>2.8 Pulsar Broker users and earlier are unaffected.<br>2.9 Pulsar Broker users should upgrade to one of the patched versions.<br>2.10 Pulsar Broker users should upgrade to at least 2.10.4.<br>2.11 Pulsar Broker users should upgrade to at least 2.11.1.<br>3.0 Pulsar Broker users are unaffected.<br><br>", }, ], value: "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role.\nThis issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10.0 before 2.10.4, 2.11.0.\n\nThe vulnerability is exploitable when an attacker can connect directly to the Pulsar Broker. If an attacker is connecting through the Pulsar Proxy, there is no known way to exploit this authorization vulnerability.\n\nThere are two known risks for affected users. First, an attacker could produce garbage messages to any topic in the cluster. Second, an attacker could produce messages to the topic level policies topic for other tenants and influence topic settings that could lead to exfiltration and/or deletion of messages for other tenants.\n\n2.8 Pulsar Broker users and earlier are unaffected.\n2.9 Pulsar Broker users should upgrade to one of the patched versions.\n2.10 Pulsar Broker users should upgrade to at least 2.10.4.\n2.11 Pulsar Broker users should upgrade to at least 2.11.1.\n3.0 Pulsar Broker users are unaffected.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-12T09:10:03.369Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5", }, ], source: { discovery: "INTERNAL", }, title: "Apache Pulsar Broker: Incorrect Authorization Validation for Rest Producer", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-30428", datePublished: "2023-07-12T09:10:03.369Z", dateReserved: "2023-04-08T03:20:41.507Z", dateUpdated: "2024-10-04T13:43:04.819Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-34321
Vulnerability from cvelistv5
Published
2024-03-12 18:17
Modified
2025-02-13 16:32
Severity ?
EPSS score ?
Summary
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.
This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.
The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to "Cluster" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren't known to be exposed.
2.10 Pulsar Proxy users should upgrade to at least 2.10.6.
2.11 Pulsar Proxy users should upgrade to at least 2.11.3.
3.0 Pulsar Proxy users should upgrade to at least 3.0.2.
3.1 Pulsar Proxy users should upgrade to at least 3.1.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.6.0 ≤ Version: 2.11.0 ≤ Version: 3.0.0 ≤ Version: 3.1.0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T09:07:16.123Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://pulsar.apache.org/security/CVE-2022-34321/", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/8", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { lessThan: "2.10.6", status: "affected", version: "2.6.0", versionType: "semver", }, { lessThan: "2.11.3", status: "affected", version: "2.11.0", versionType: "semver", }, { lessThan: "3.0.2", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThan: "3.1.1", status: "affected", version: "3.1.0", versionType: "semver", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2022-34321", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-13T18:45:58.606642Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-13T18:48:30.535Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThan: "2.10.6", status: "affected", version: "2.6.0", versionType: "semver", }, { lessThan: "2.11.3", status: "affected", version: "2.11.0", versionType: "semver", }, { lessThan: "3.0.2", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThan: "3.1.1", status: "affected", version: "3.1.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Lari Hotari", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.<br><br>This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.<br><br>The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to \"Cluster\" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren't known to be exposed.<br><br>2.10 Pulsar Proxy users should upgrade to at least 2.10.6.<br>2.11 Pulsar Proxy users should upgrade to at least 2.11.3.<br>3.0 Pulsar Proxy users should upgrade to at least 3.0.2.<br>3.1 Pulsar Proxy users should upgrade to at least 3.1.1.<br><br>Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.", }, ], value: "Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.\n\nThis issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.\n\nThe known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to \"Cluster\" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren't known to be exposed.\n\n2.10 Pulsar Proxy users should upgrade to at least 2.10.6.\n2.11 Pulsar Proxy users should upgrade to at least 2.11.3.\n3.0 Pulsar Proxy users should upgrade to at least 3.0.2.\n3.1 Pulsar Proxy users should upgrade to at least 3.1.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-306", description: "CWE-306 Missing Authentication for Critical Function", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T17:09:08.239Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "mailing-list", ], url: "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8", }, { tags: [ "vendor-advisory", ], url: "https://pulsar.apache.org/security/CVE-2022-34321/", }, { url: "http://www.openwall.com/lists/oss-security/2024/03/12/8", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-34321", datePublished: "2024-03-12T18:17:06.236Z", dateReserved: "2022-06-22T16:11:50.885Z", dateUpdated: "2025-02-13T16:32:45.878Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-33683
Vulnerability from cvelistv5
Published
2022-09-23 09:25
Modified
2024-08-03 08:09
Severity ?
EPSS score ?
Summary
Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.10.0 Version: 2.7 < Version: 2.8 < Version: 2.9 < Version: 2.6 and earlier < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T08:09:22.580Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "2.10.0", }, { lessThanOrEqual: "2.7.4", status: "affected", version: "2.7", versionType: "custom", }, { lessThanOrEqual: "2.8.3", status: "affected", version: "2.8", versionType: "custom", }, { lessThanOrEqual: "2.9.2", status: "affected", version: "2.9", versionType: "custom", }, { lessThanOrEqual: "2.6.4", status: "affected", version: "2.6 and earlier", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "This issue was discovered by Michael Marshall of DataStax.", }, ], descriptions: [ { lang: "en", value: "Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.", }, ], metrics: [ { other: { content: { other: "high", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "CWE-295 Improper Certificate Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-23T09:25:15", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x", }, ], source: { discovery: "UNKNOWN", }, title: "Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack ", workarounds: [ { lang: "en", value: "Any users running affected versions of the Pulsar Broker or Pulsar Proxy should rotate static authentication data vulnerable to man in the middle attacks used by these applications, including tokens and passwords.\n\n2.7 users should upgrade Pulsar Brokers and Proxies to 2.7.5, and rotate vulnerable authentication data, including tokens and passwords.\n2.8 users should upgrade Pulsar Brokers and Proxies to 2.8.4, and rotate vulnerable authentication data, including tokens and passwords.\n2.9 users should upgrade Pulsar Brokers and Proxies to 2.9.3, and rotate vulnerable authentication data, including tokens and passwords.\n2.10 users should upgrade Pulsar Brokers and Proxies to 2.10.1, and rotate vulnerable authentication data, including tokens and passwords.\nAny users running Pulsar Brokers and Proxies for 2.6 and earlier should upgrade to one of the above patched versions, and rotate vulnerable authentication data, including tokens and passwords.\n\nIn addition to upgrading, it is also necessary to enable hostname verification to prevent man in the middle attacks. Please see CVE-2022-33682 for more information.", }, ], x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2022-33683", STATE: "PUBLIC", TITLE: "Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack ", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Pulsar", version: { version_data: [ { version_affected: "<=", version_name: "2.7", version_value: "2.7.4", }, { version_affected: "<=", version_name: "2.8", version_value: "2.8.3", }, { version_affected: "<=", version_name: "2.9", version_value: "2.9.2", }, { version_affected: "=", version_name: "2.10", version_value: "2.10.0", }, { version_affected: "<=", version_name: "2.6 and earlier", version_value: "2.6.4", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "This issue was discovered by Michael Marshall of DataStax.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ { other: "high", }, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-295 Improper Certificate Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x", refsource: "MISC", url: "https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x", }, ], }, source: { discovery: "UNKNOWN", }, work_around: [ { lang: "en", value: "Any users running affected versions of the Pulsar Broker or Pulsar Proxy should rotate static authentication data vulnerable to man in the middle attacks used by these applications, including tokens and passwords.\n\n2.7 users should upgrade Pulsar Brokers and Proxies to 2.7.5, and rotate vulnerable authentication data, including tokens and passwords.\n2.8 users should upgrade Pulsar Brokers and Proxies to 2.8.4, and rotate vulnerable authentication data, including tokens and passwords.\n2.9 users should upgrade Pulsar Brokers and Proxies to 2.9.3, and rotate vulnerable authentication data, including tokens and passwords.\n2.10 users should upgrade Pulsar Brokers and Proxies to 2.10.1, and rotate vulnerable authentication data, including tokens and passwords.\nAny users running Pulsar Brokers and Proxies for 2.6 and earlier should upgrade to one of the above patched versions, and rotate vulnerable authentication data, including tokens and passwords.\n\nIn addition to upgrading, it is also necessary to enable hostname verification to prevent man in the middle attacks. Please see CVE-2022-33682 for more information.", }, ], }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-33683", datePublished: "2022-09-23T09:25:15", dateReserved: "2022-06-15T00:00:00", dateUpdated: "2024-08-03T08:09:22.580Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-51437
Vulnerability from cvelistv5
Published
2024-02-07 09:18
Modified
2024-08-02 22:32
Severity ?
EPSS score ?
Summary
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.
Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.
Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.
2.11 Pulsar users should upgrade to at least 2.11.3.
3.0 Pulsar users should upgrade to at least 3.0.2.
3.1 Pulsar users should upgrade to at least 3.1.1.
Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.
For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 0 ≤ 2.10.5 Version: 2.11.0 ≤ 2.11.2 Version: 3.0.0 ≤ 3.0.1 Version: 3.1.0 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-51437", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-07T15:10:54.777111Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-05T17:22:56.108Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T22:32:09.454Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5", }, { tags: [ "x_transferred", ], url: "https://www.openwall.com/lists/oss-security/2024/02/07/1", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "2.10.5", status: "affected", version: "0", versionType: "semver", }, { lessThanOrEqual: "2.11.2", status: "affected", version: "2.11.0", versionType: "semver", }, { lessThanOrEqual: "3.0.1", status: "affected", version: "3.0.0", versionType: "semver", }, { status: "affected", version: "3.1.0", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Yiheng Cao", }, { lang: "en", type: "finder", value: "Chenhao Lu ", }, { lang: "en", type: "finder", value: "Kaifeng Huang", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.<br><p>Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.<br></p><p>Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.</p>2.11 Pulsar users should upgrade to at least 2.11.3.<br>3.0 Pulsar users should upgrade to at least 3.0.2.<br>3.1 Pulsar users should upgrade to at least 3.1.1.<br><div>Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.</div><div><br></div><p>For additional details on this attack vector, please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://codahale.com/a-lesson-in-timing-attacks/\">https://codahale.com/a-lesson-in-timing-attacks/</a>.</p>", }, ], value: "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.\nUsers are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.\n\nAny component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.\n\n2.11 Pulsar users should upgrade to at least 2.11.3.\n3.0 Pulsar users should upgrade to at least 3.0.2.\n3.1 Pulsar users should upgrade to at least 3.1.1.\nAny users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\n\nFor additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-203", description: "CWE-203 Observable Discrepancy", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-22T08:38:36.247Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5", }, { url: "https://www.openwall.com/lists/oss-security/2024/02/07/1", }, ], source: { discovery: "EXTERNAL", }, title: "Apache Pulsar: Timing attack in SASL token signature verification", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-51437", datePublished: "2024-02-07T09:18:19.080Z", dateReserved: "2023-12-19T06:13:58.560Z", dateUpdated: "2024-08-02T22:32:09.454Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-37544
Vulnerability from cvelistv5
Published
2023-12-20 08:34
Modified
2025-02-13 17:01
Severity ?
EPSS score ?
Summary
Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.
This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.
The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.
2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.
2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.
3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.
3.1 Pulsar WebSocket Proxy users are unaffected.
Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar WebSocket Proxy |
Version: 2.8.0 ≤ 2.8.* Version: 2.9.0 ≤ 2.9.* Version: 2.10.0 ≤ 2.10.4 Version: 2.11.0 ≤ 2.11.1 Version: 3.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T17:16:30.560Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2023/12/20/2", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar WebSocket Proxy", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "2.8.*", status: "affected", version: "2.8.0", versionType: "semver", }, { lessThanOrEqual: "2.9.*", status: "affected", version: "2.9.0", versionType: "semver", }, { lessThanOrEqual: "2.10.4", status: "affected", version: "2.10.0", versionType: "semver", }, { lessThanOrEqual: "2.11.1", status: "affected", version: "2.11.0", versionType: "semver", }, { status: "affected", version: "3.0.0", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Michael Marshall of DataStax", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.<br><br>This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.<br><br>The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.<br><br>2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.<br>2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.<br>3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.<br>3.1 Pulsar WebSocket Proxy users are unaffected.<br>Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.", }, ], value: "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.\n\nThis issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.\n\nThe known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.\n\n2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\n2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\n3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\n3.1 Pulsar WebSocket Proxy users are unaffected.\nAny users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-12-20T08:35:06.415Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m", }, { url: "http://www.openwall.com/lists/oss-security/2023/12/20/2", }, ], source: { discovery: "INTERNAL", }, title: "Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-37544", datePublished: "2023-12-20T08:34:02.393Z", dateReserved: "2023-07-07T05:55:37.670Z", dateUpdated: "2025-02-13T17:01:29.212Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-30429
Vulnerability from cvelistv5
Published
2023-07-12 09:08
Modified
2024-10-03 20:43
Severity ?
EPSS score ?
Summary
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.
This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.
When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.
The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 0 ≤ Version: 2.11.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:21:44.815Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { lessThan: "2.10.4", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { status: "affected", version: "2.11.0", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-30429", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T20:40:14.505445Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:43:48.694Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThan: "2.10.4", status: "affected", version: "0", versionType: "semver", }, { status: "affected", version: "2.11.0", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Michael Marshall of DataStax", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.<br><br>This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.<br><br>When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.<br><br>The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.<br><br>2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.<br>2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.<br>3.0 Pulsar Function Worker users are unaffected.<br>Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.<br>", }, ], value: "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.\n\nThis issue affects Apache Pulsar: before 2.10.4, and 2.11.0.\n\nWhen a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.\n\nThe recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.\n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.\n3.0 Pulsar Function Worker users are unaffected.\nAny users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-12T09:08:23.703Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8", }, ], source: { discovery: "INTERNAL", }, title: "Apache Pulsar: Incorrect Authorization for Function Worker when using mTLS Authentication through Pulsar Proxy", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-30429", datePublished: "2023-07-12T09:08:23.703Z", dateReserved: "2023-04-08T03:30:20.317Z", dateUpdated: "2024-10-03T20:43:48.694Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-22160
Vulnerability from cvelistv5
Published
2021-05-26 12:22
Modified
2024-08-03 18:37
Severity ?
EPSS score ?
Summary
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: Apache Pulsar < 2.7.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:37:18.090Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210527 Cutting 2.6.4 release to address CVE-2021-22160", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-users] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210527 Re: Cutting 2.6.4 release to address CVE-2021-22160", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E", }, { name: "Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210531 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210604 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThan: "2.7.1", status: "affected", version: "Apache Pulsar", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to \"none\". This allows an attacker to connect to Pulsar instances as any user (incl. admins).", }, ], problemTypes: [ { descriptions: [ { description: "token not validated", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-06-04T20:06:14", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210527 Cutting 2.6.4 release to address CVE-2021-22160", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-users] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210527 Re: Cutting 2.6.4 release to address CVE-2021-22160", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E", }, { name: "Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210531 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210604 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E", }, ], source: { discovery: "UNKNOWN", }, title: "Authentication with JWT allows use of “none”-algorithm", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-22160", STATE: "PUBLIC", TITLE: "Authentication with JWT allows use of “none”-algorithm", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Pulsar", version: { version_data: [ { version_affected: "<", version_name: "Apache Pulsar", version_value: "2.7.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to \"none\". This allows an attacker to connect to Pulsar instances as any user (incl. admins).", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "token not validated", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210527 Cutting 2.6.4 release to address CVE-2021-22160", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5@%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550@%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-users] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550@%3Cusers.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210527 Re: Cutting 2.6.4 release to address CVE-2021-22160", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da@%3Cdev.pulsar.apache.org%3E", }, { name: "Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210531 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84@%3Cdev.pulsar.apache.org%3E", }, { name: "[pulsar-dev] 20210604 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df@%3Cdev.pulsar.apache.org%3E", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-22160", datePublished: "2021-05-26T12:22:31", dateReserved: "2021-01-05T00:00:00", dateUpdated: "2024-08-03T18:37:18.090Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-37579
Vulnerability from cvelistv5
Published
2023-07-12 09:05
Modified
2024-10-08 13:35
Severity ?
EPSS score ?
Summary
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.
This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.
Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.
The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar Function Worker |
Version: 0 ≤ Version: 2.11.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T17:16:30.966Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { lessThan: "2.10.4", status: "affected", version: "0", versionType: "custom", }, { status: "affected", version: "2.11.0", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-37579", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-08T13:34:09.643587Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-08T13:35:12.605Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar Function Worker", vendor: "Apache Software Foundation", versions: [ { lessThan: "2.10.4", status: "affected", version: "0", versionType: "semver", }, { status: "affected", version: "2.11.0", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Michael Marshall of DataStax", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.<br><br>This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.<br><br>Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.<br><br>The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.<br><br>2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.<br>2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.<br>3.0 Pulsar Function Worker users are unaffected.<br>Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.<br><br>", }, ], value: "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.\n\nThis issue affects Apache Pulsar: before 2.10.4, and 2.11.0.\n\nAny authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.\n\nThe recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.\n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.\n3.0 Pulsar Function Worker users are unaffected.\nAny users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-12T09:05:24.408Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz", }, ], source: { discovery: "INTERNAL", }, title: "Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-37579", datePublished: "2023-07-12T09:05:24.408Z", dateReserved: "2023-07-07T21:58:25.770Z", dateUpdated: "2024-10-08T13:35:12.605Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-33684
Vulnerability from cvelistv5
Published
2022-11-04 00:00
Modified
2024-08-03 08:09
Severity ?
EPSS score ?
Summary
The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.7 < Version: 2.8 < Version: 2.9 < Version: 2.10 < Version: 2.6 and earlier < Patch: 3.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T08:09:22.308Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv", }, { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "2.7.4", status: "affected", version: "2.7", versionType: "custom", }, { lessThanOrEqual: "2.8.3", status: "affected", version: "2.8", versionType: "custom", }, { lessThanOrEqual: "2.9.2", status: "affected", version: "2.9", versionType: "custom", }, { lessThanOrEqual: "2.10.1", status: "affected", version: "2.10", versionType: "custom", }, { lessThanOrEqual: "2.6.4", status: "affected", version: "2.6 and earlier", versionType: "custom", }, { lessThan: "3.0*", status: "unaffected", version: "3.0.0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "This issue was discovered by Michael Rowley, michaellrowley@protonmail.com", }, ], descriptions: [ { lang: "en", value: "The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.", }, ], metrics: [ { other: { content: { other: "high", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "CWE-295 Improper Certificate Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-17T09:19:21.073Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv", }, { url: "https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-33684", datePublished: "2022-11-04T00:00:00", dateReserved: "2022-06-15T00:00:00", dateUpdated: "2024-08-03T08:09:22.308Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-27135
Vulnerability from cvelistv5
Published
2024-03-12 18:18
Modified
2025-02-13 17:41
Severity ?
EPSS score ?
Summary
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.4.0 ≤ Version: 2.11.0 ≤ Version: 3.0.0 ≤ Version: 3.1.0 ≤ Version: 3.2.0 ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache:pulsar:2.4.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { lessThan: "2.10.6", status: "affected", version: "2.4.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { lessThan: "2.11.4", status: "affected", version: "2.11.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:apache:pulsar:3.0.0:-:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { lessThan: "3.0.3", status: "affected", version: "3.0.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { lessThan: "3.1.3", status: "affected", version: "3.1.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pulsar", vendor: "apache", versions: [ { lessThan: "3.2.1", status: "affected", version: "3.2.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-27135", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-03-13T14:22:47.701713Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-24T19:41:30.721Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T00:27:59.563Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://pulsar.apache.org/security/CVE-2024-27135/", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/9", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThan: "2.10.6", status: "affected", version: "2.4.0", versionType: "semver", }, { lessThan: "2.11.4", status: "affected", version: "2.11.0", versionType: "semver", }, { lessThan: "3.0.3", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThan: "3.1.3", status: "affected", version: "3.1.0", versionType: "semver", }, { lessThan: "3.2.1", status: "affected", version: "3.2.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Lari Hotari of StreamNative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".<br><br>This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. <br><br>2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br>2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br>3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br>3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br>3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br><br>Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.<br>", }, ], value: "Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, ], metrics: [ { other: { content: { text: "high", }, type: "Textual description of severity", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-913", description: "CWE-913 Improper Control of Dynamically-Managed Code Resources", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T17:08:59.095Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "mailing-list", ], url: "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn", }, { tags: [ "vendor-advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-27135/", }, { url: "http://www.openwall.com/lists/oss-security/2024/03/12/9", }, ], source: { discovery: "INTERNAL", }, title: "Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-27135", datePublished: "2024-03-12T18:18:06.720Z", dateReserved: "2024-02-20T11:50:02.083Z", dateUpdated: "2025-02-13T17:41:17.703Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-24280
Vulnerability from cvelistv5
Published
2022-09-23 09:25
Modified
2024-08-03 04:07
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.7 < Version: 2.8 < Version: 2.9 < Version: 2.6 and earlier < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:07:02.453Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "2.7.4", status: "affected", version: "2.7", versionType: "custom", }, { lessThanOrEqual: "2.8.2", status: "affected", version: "2.8", versionType: "custom", }, { lessThanOrEqual: "2.9.1", status: "affected", version: "2.9", versionType: "custom", }, { lessThanOrEqual: "2.6.4", status: "affected", version: "2.6 and earlier", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "This issue was discovered by Lari Hotari of DataStax.", }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.", }, ], metrics: [ { other: { content: { other: "important", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-23T09:25:12", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Pulsar Proxy target broker address isn't validated", workarounds: [ { lang: "en", value: "To address the issue, upgraded versions of Apache Pulsar Proxy will only allow connections to known broker ports 6650 and 6651 by default. In addition, it is necessary to limit proxied broker connections further to known broker addresses by specifying brokerProxyAllowedHostNames and brokerProxyAllowedIPAddresses Pulsar Proxy settings. In Pulsar Helm chart deployments, the setting names should be prefixed with \"PULSAR_PREFIX_\".\n\n2.7 users should upgrade Pulsar Proxies to 2.7.5 and apply configuration changes.\n2.8 users should upgrade Pulsar Proxies to at least 2.8.3 and apply configuration changes.\n2.9 users should upgrade Pulsar Proxies to at least 2.9.2 and apply configuration changes.\n2.10 users should apply configuration changes.\nAny users running the Pulsar Proxy 2.6.4 and earlier should upgrade to one of the above patched versions and apply configuration changes.", }, ], x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2022-24280", STATE: "PUBLIC", TITLE: "Apache Pulsar Proxy target broker address isn't validated", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Pulsar", version: { version_data: [ { version_affected: "<=", version_name: "2.7", version_value: "2.7.4", }, { version_affected: "<=", version_name: "2.8", version_value: "2.8.2", }, { version_affected: "<=", version_name: "2.9", version_value: "2.9.1", }, { version_affected: "<=", version_name: "2.6 and earlier", version_value: "2.6.4", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "This issue was discovered by Lari Hotari of DataStax.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ { other: "important", }, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20 Improper Input Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v", refsource: "MISC", url: "https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v", }, ], }, source: { discovery: "UNKNOWN", }, work_around: [ { lang: "en", value: "To address the issue, upgraded versions of Apache Pulsar Proxy will only allow connections to known broker ports 6650 and 6651 by default. In addition, it is necessary to limit proxied broker connections further to known broker addresses by specifying brokerProxyAllowedHostNames and brokerProxyAllowedIPAddresses Pulsar Proxy settings. In Pulsar Helm chart deployments, the setting names should be prefixed with \"PULSAR_PREFIX_\".\n\n2.7 users should upgrade Pulsar Proxies to 2.7.5 and apply configuration changes.\n2.8 users should upgrade Pulsar Proxies to at least 2.8.3 and apply configuration changes.\n2.9 users should upgrade Pulsar Proxies to at least 2.9.2 and apply configuration changes.\n2.10 users should apply configuration changes.\nAny users running the Pulsar Proxy 2.6.4 and earlier should upgrade to one of the above patched versions and apply configuration changes.", }, ], }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-24280", datePublished: "2022-09-23T09:25:12", dateReserved: "2022-01-31T00:00:00", dateUpdated: "2024-08-03T04:07:02.453Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-31007
Vulnerability from cvelistv5
Published
2023-07-12 09:07
Modified
2024-10-08 13:35
Severity ?
EPSS score ?
Summary
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.
This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.
2.9 Pulsar Broker users should upgrade to at least 2.9.5.
2.10 Pulsar Broker users should upgrade to at least 2.10.4.
2.11 Pulsar Broker users should upgrade to at least 2.11.1.
3.0 Pulsar Broker users are unaffected.
Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 0 ≤ Version: 2.10.0 ≤ 2.10.3 Version: 2.11.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:45:24.680Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-31007", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-08T13:35:46.823063Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-08T13:35:57.720Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThan: "2.9.5", status: "affected", version: "0", versionType: "semver", }, { lessThanOrEqual: "2.10.3", status: "affected", version: "2.10.0", versionType: "semver", }, { status: "affected", version: "2.11.0", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Michael Marshall of DataStax", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.<br><br>This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.<br><br>2.9 Pulsar Broker users should upgrade to at least 2.9.5.<br>2.10 Pulsar Broker users should upgrade to at least 2.10.4.<br>2.11 Pulsar Broker users should upgrade to at least 2.11.1.<br>3.0 Pulsar Broker users are unaffected.<br>Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.<br>", }, ], value: "Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.\n\nThis issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.\n\n2.9 Pulsar Broker users should upgrade to at least 2.9.5.\n2.10 Pulsar Broker users should upgrade to at least 2.10.4.\n2.11 Pulsar Broker users should upgrade to at least 2.11.1.\n3.0 Pulsar Broker users are unaffected.\nAny users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 0, baseSeverity: "NONE", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-12T09:07:03.227Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj", }, ], source: { discovery: "INTERNAL", }, title: "Apache Pulsar: Broker does not always disconnect client when authentication data expires", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-31007", datePublished: "2023-07-12T09:07:03.227Z", dateReserved: "2023-04-21T20:14:07.066Z", dateUpdated: "2024-10-08T13:35:57.720Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-27317
Vulnerability from cvelistv5
Published
2024-03-12 18:18
Modified
2025-02-13 17:46
Severity ?
EPSS score ?
Summary
In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like "..", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.4.0 ≤ Version: 2.11.0 ≤ Version: 3.0.0 ≤ Version: 3.1.0 ≤ Version: 3.2.0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T00:34:51.382Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://pulsar.apache.org/security/CVE-2024-27317/", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/10", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "pulsar", vendor: "apache", versions: [ { lessThan: "2.10.6", status: "affected", version: "2.4.0", versionType: "semver", }, { lessThan: "2.11.4", status: "affected", version: "2.11.0", versionType: "semver", }, { lessThan: "3.0.3", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThan: "3.1.3", status: "affected", version: "3.1.0", versionType: "semver", }, { lessThan: "3.2.1", status: "affected", version: "3.2.0", versionType: "semver", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-27317", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-08-05T17:16:55.541030Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-05T17:20:20.810Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThan: "2.10.6", status: "affected", version: "2.4.0", versionType: "semver", }, { lessThan: "2.11.4", status: "affected", version: "2.11.0", versionType: "semver", }, { lessThan: "3.0.3", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThan: "3.1.3", status: "affected", version: "3.1.0", versionType: "semver", }, { lessThan: "3.2.1", status: "affected", version: "3.2.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like \"..\", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".<br><br>This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. <br><br>2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br>2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br>3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br>3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br>3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br><br>Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, ], value: "In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like \"..\", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T18:06:42.643Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "mailing-list", ], url: "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po", }, { tags: [ "vendor-advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-27317/", }, { url: "http://www.openwall.com/lists/oss-security/2024/03/12/10", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-27317", datePublished: "2024-03-12T18:18:52.650Z", dateReserved: "2024-02-23T16:52:14.017Z", dateUpdated: "2025-02-13T17:46:25.167Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-29834
Vulnerability from cvelistv5
Published
2024-04-02 19:24
Modified
2025-02-13 17:47
Severity ?
EPSS score ?
Summary
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1.
3.0 Apache Pulsar users should upgrade to at least 3.0.4.
3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Version: 2.7.1 ≤ 2.10.6 Version: 2.11.0 ≤ 2.11.4 Version: 3.0.0 ≤ Version: 3.1.0 ≤ 3.1.3 Version: 3.2.0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T01:17:57.981Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://pulsar.apache.org/security/CVE-2024-29834/", }, { tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/04/02/2", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-29834", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-21T13:59:54.857505Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-21T14:33:25.142Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Pulsar", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "2.10.6", status: "affected", version: "2.7.1", versionType: "semver", }, { lessThanOrEqual: "2.11.4", status: "affected", version: "2.11.0", versionType: "semver", }, { lessThan: "3.0.4", status: "affected", version: "3.0.0", versionType: "semver", }, { lessThanOrEqual: "3.1.3", status: "affected", version: "3.1.0", versionType: "semver", }, { lessThan: "3.2.2", status: "affected", version: "3.2.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\"><div><div>This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.</div></div></span><br><br>This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. <br><br>3.0 Apache Pulsar users should upgrade to at least 3.0.4.<br>3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.<br><br>Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, ], value: "This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. \n\n3.0 Apache Pulsar users should upgrade to at least 3.0.4.\n3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T17:06:33.488Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-29834/", }, { tags: [ "mailing-list", ], url: "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5", }, { url: "http://www.openwall.com/lists/oss-security/2024/04/02/2", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-29834", datePublished: "2024-04-02T19:24:46.473Z", dateReserved: "2024-03-20T16:45:27.305Z", dateUpdated: "2025-02-13T17:47:43.136Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2024-03-12 19:15
Modified
2025-02-13 18:17
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Apache Pulsar users should upgrade to at least 2.10.6.
2.11 Apache Pulsar users should upgrade to at least 2.11.4.
3.0 Apache Pulsar users should upgrade to at least 3.0.3.
3.1 Apache Pulsar users should upgrade to at least 3.1.3.
3.2 Apache Pulsar users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/12 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-28098/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/12 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-28098/ | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "95759762-9E34-4ACF-8BD3-2609CB2EC397", versionEndExcluding: "2.10.6", versionStartIncluding: "2.7.1", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "5615177E-1EAD-4F00-8230-FE7C3B67A641", versionEndExcluding: "2.11.4", versionStartIncluding: "2.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "5EC9804F-D93F-41C5-963D-F42DA8779249", versionEndExcluding: "3.0.3", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "44F5BF49-6151-4A0E-BD7D-280CBB09A868", versionEndExcluding: "3.1.3", versionStartIncluding: "3.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*", matchCriteriaId: "13ECC4AD-98DF-4BEF-BFE5-6A8A701E0B05", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Apache Pulsar users should upgrade to at least 2.10.6.\n2.11 Apache Pulsar users should upgrade to at least 2.11.4.\n3.0 Apache Pulsar users should upgrade to at least 3.0.3.\n3.1 Apache Pulsar users should upgrade to at least 3.1.3.\n3.2 Apache Pulsar users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, { lang: "es", value: "La vulnerabilidad permite a los usuarios autenticados con permisos solo de producción o consumo modificar políticas a nivel de tema, como retención, TTL y configuraciones de descarga. Estas operaciones de administración deben restringirse a usuarios con la función de administrador de inquilinos o la función de superusuario. Este problema afecta a las versiones de Apache Pulsar de 2.7.1 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Apache Pulsar deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Apache Pulsar deben actualizar al menos a 2.11.4. Los usuarios de Apache Pulsar 3.0 deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Apache Pulsar deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Apache Pulsar deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones más nuevas.", }, ], id: "CVE-2024-28098", lastModified: "2025-02-13T18:17:46.583", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 2.7, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-03-12T19:15:48.177", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/12", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-28098/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/12", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-28098/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-23 10:15
Modified
2024-11-21 06:50
Severity ?
Summary
Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v | Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "1DC4ED3C-514F-4895-B0D8-1160207FA2AD", versionEndIncluding: "2.6.4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "E1D90423-FEF6-41F0-82D3-2FD7AF67006B", versionEndExcluding: "2.7.5", versionStartIncluding: "2.7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "383196BD-46DF-4C7D-A414-670FD24F6B37", versionEndExcluding: "2.8.3", versionStartIncluding: "2.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "E0BACABF-CF6A-4E20-89A4-C60F8B6BE3A9", versionEndExcluding: "2.9.2", versionStartIncluding: "2.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.", }, { lang: "es", value: "Una vulnerabilidad de comprobación de entrada inapropiada en el componente Proxy de Apache Pulsar permite a un atacante realizar intentos de conexión TCP/IP que son originados en la dirección IP del Proxy Pulsar. Cuando es usado el componente Proxy de Apache Pulsar, es posible intentar abrir conexiones TCP/IP a cualquier dirección IP y puerto al que pueda conectarse el Proxy de Pulsar. Un atacante podría usar esto para realizar ataques DoS que sean originados desde la dirección IP del Pulsar Proxy. No se ha detectado que la autenticación del Pulsar Proxy pueda ser omitida. El atacante tendrá que tener un token válido para un Pulsar Proxy debidamente protegido. Este problema afecta a Apache Pulsar Proxy versiones 2.7.0 a 2.7.4; 2.8.0 a 2.8.2; 2.9.0 a 2.9.1; 2.6.4 y anteriores.", }, ], id: "CVE-2022-24280", lastModified: "2024-11-21T06:50:05.030", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-23T10:15:10.087", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "security@apache.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-12 10:15
Modified
2024-11-21 08:11
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.
This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.
Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.
The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz | Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "93203072-AF2C-4C1C-9185-709395C44315", versionEndExcluding: "2.10.4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*", matchCriteriaId: "8D3BCDDD-21DA-47B6-A8F4-76822E11662B", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:candidate_1:*:*:*:*:*:*", matchCriteriaId: "AB395C43-88B4-4DE3-8ADC-D276C86250D7", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:candidate_5:*:*:*:*:*:*", matchCriteriaId: "E90E85B9-B04D-4BCB-B7A8-7526C991F022", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.\n\nThis issue affects Apache Pulsar: before 2.10.4, and 2.11.0.\n\nAny authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.\n\nThe recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.\n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.\n3.0 Pulsar Function Worker users are unaffected.\nAny users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.\n\n", }, ], id: "CVE-2023-37579", lastModified: "2024-11-21T08:11:59.647", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.8, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-12T10:15:11.010", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-02-01 13:15
Modified
2024-11-21 06:26
Severity ?
Summary
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://github.com/apache/pulsar/issues/11814 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr | Mailing List, Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apache/pulsar/issues/11814 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId | Patch, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "E7316A0A-1852-4DD2-926A-06FEA7D1D2FA", versionEndExcluding: "2.6.4", versionStartIncluding: "2.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "66FA9B80-0C01-492B-83B1-728214C6C810", versionEndExcluding: "2.7.3", versionStartIncluding: "2.7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.8.0:*:*:*:*:*:*:*", matchCriteriaId: "D500E36D-2790-4ADB-B635-04223242421B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.", }, { lang: "es", value: "En Apache Pulsar es posible acceder a datos de BookKeeper que no pertenecen a los temas accesibles por el usuario autenticado. La API de administración get-message-by-id requiere que el usuario introduzca un tema y un ledger id. El identificador del libro mayor es un puntero a los datos, y supone que es válido para el tema. Los controles de autorización son llevados a cabo contra el nombre del tema y no se presenta una comprobación apropiada de que el ID del libro mayor sea válido en el contexto de dicho libro mayor. Por lo tanto, puede ocurrir que el usuario sea capaz de leer de un libro mayor que contiene datos que pertenecen a otro inquilino. Este problema afecta a Apache Pulsar versiones 2.8.0 y anteriores; Apache Pulsar versiones 2.7.3 y anteriores; Apache Pulsar versiones 2.6.4 y anteriores", }, ], id: "CVE-2021-41571", lastModified: "2024-11-21T06:26:27.173", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-02-01T13:15:09.663", references: [ { source: "security@apache.org", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/apache/pulsar/issues/11814", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr", }, { source: "security@apache.org", tags: [ "Patch", "Vendor Advisory", ], url: "https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/apache/pulsar/issues/11814", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "security@apache.org", type: "Primary", }, { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2024-04-02 20:15
Modified
2025-01-24 16:21
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Summary
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1.
3.0 Apache Pulsar users should upgrade to at least 3.0.4.
3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/04/02/2 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5 | Mailing List, Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-29834/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/04/02/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-29834/ | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "6F72E981-1033-4288-B32A-D8BA23842F0A", versionEndIncluding: "2.10.6", versionStartIncluding: "2.7.1", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "BA0ADBDB-CBD3-465A-8A24-CA20BE0F2965", versionEndIncluding: "2.11.4", versionStartIncluding: "2.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "39CB0C2C-FFA0-47AD-AE95-33EDCD69D747", versionEndExcluding: "3.0.4", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "3B345AA3-0ACC-4953-B214-F505CDB077F6", versionEndIncluding: "3.1.3", versionStartIncluding: "3.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "92141F66-6615-4D09-9CD1-FB2341B7194E", versionEndExcluding: "3.2.2", versionStartIncluding: "3.2.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. \n\n3.0 Apache Pulsar users should upgrade to at least 3.0.4.\n3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, { lang: "es", value: "Esta vulnerabilidad permite a los usuarios autenticados con permisos de producción o consumo realizar operaciones no autorizadas en temas particionados, como descargar temas y activar la compactación. Estas operaciones de administración deben restringirse a los usuarios con la función de administrador de inquilinos o la función de superusuario. Un usuario autenticado con permiso de producción puede crear suscripciones y actualizar propiedades de suscripción en temas particionados, aunque esto debería limitarse a usuarios con permisos de consumo. Este análisis de impacto supone que Pulsar se ha configurado con el proveedor de autorización predeterminado. Para los proveedores de autorizaciones personalizadas, el impacto podría ser ligeramente diferente. Además, la vulnerabilidad permite a un usuario autenticado leer, crear, modificar y eliminar propiedades de espacio de nombres en cualquier espacio de nombres de cualquier inquilino. En Pulsar, las propiedades del espacio de nombres están reservadas para los metadatos proporcionados por el usuario sobre el espacio de nombres. Este problema afecta a las versiones de Apache Pulsar de 2.7.1 a 2.10.6, de 2.11.0 a 2.11.4, de 3.0.0 a 3.0.3, de 3.1.0 a 3.1.3 y de 3.2.0 a 3.2. 1. Los usuarios de Apache Pulsar 3.0 deben actualizar al menos a 3.0.4. Los usuarios de Apache Pulsar 3.1 y 3.2 deben actualizar al menos a 3.2.2. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones más nuevas.", }, ], id: "CVE-2024-29834", lastModified: "2025-01-24T16:21:24.170", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 2.7, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-04-02T20:15:09.607", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/04/02/2", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-29834/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/04/02/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-29834/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-03-12 19:15
Modified
2025-01-19 03:23
Severity ?
8.4 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like "..", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/10 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-27317/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/10 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-27317/ | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "1CC67E07-21B9-485E-8169-0AD81B773690", versionEndExcluding: "2.10.6", versionStartIncluding: "2.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "5615177E-1EAD-4F00-8230-FE7C3B67A641", versionEndExcluding: "2.11.4", versionStartIncluding: "2.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "5EC9804F-D93F-41C5-963D-F42DA8779249", versionEndExcluding: "3.0.3", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "44F5BF49-6151-4A0E-BD7D-280CBB09A868", versionEndExcluding: "3.1.3", versionStartIncluding: "3.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*", matchCriteriaId: "13ECC4AD-98DF-4BEF-BFE5-6A8A701E0B05", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like \"..\", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, { lang: "es", value: "En Pulsar Functions Worker, los usuarios autenticados pueden cargar funciones en archivos jar o nar. Estos archivos, esencialmente archivos zip, son extraídos por Functions Worker. Sin embargo, si se carga un archivo malicioso, podría aprovechar una vulnerabilidad de cruce de directorio. Esto ocurre cuando los nombres de los archivos zip, que no están validados correctamente, contienen elementos especiales como \"..\", alterando la ruta del directorio. Esto podría permitir a un atacante crear o modificar archivos fuera del directorio de extracción designado, lo que podría influir en el comportamiento del sistema. Esta vulnerabilidad también se aplica al Pulsar Broker cuando está configurado con \"functionsWorkerEnabled=true\". Este problema afecta a las versiones de Apache Pulsar de 2.4.0 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.11.4. Los usuarios de 3.0 Pulsar Function Worker deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones más nuevas.", }, ], id: "CVE-2024-27317", lastModified: "2025-01-19T03:23:26.087", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 6, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-03-12T19:15:47.777", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/10", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-27317/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/10", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-27317/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-23 10:15
Modified
2024-11-21 07:08
Severity ?
Summary
Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d | Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "1329962E-1B1C-42B1-B3E3-B647B7D2749E", versionEndExcluding: "2.7.5", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "02284ABD-BFD3-4E2A-850A-CC12A7996E97", versionEndExcluding: "2.8.4", versionStartIncluding: "2.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "C1A2D87A-55FC-42C0-BB48-E2B5B07EE1CE", versionEndExcluding: "2.9.3", versionStartIncluding: "2.9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.10.0:-:*:*:*:*:*:*", matchCriteriaId: "C6E2F16D-CCDD-4DC8-9745-09EA2CD4D4DB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.", }, { lang: "es", value: "El retraso en la verificación del nombre de host TLS en el cliente Java Pulsar y Pulsar Proxy hace que cada cliente sea vulnerable a un ataque de hombre en el medio. Las conexiones del Cliente Java Pulsar al Broker/Proxy Pulsar y las conexiones del Proxy Pulsar al Broker Pulsar son vulnerables. Los datos de autenticación son enviados antes de verificar que el certificado TLS del servidor coincide con el nombre del host, lo que significa que los datos de autenticación podrían estar expuestos a un atacante. Un atacante sólo puede aprovecharse de esta vulnerabilidad al tomar el control de una máquina \"entre\" el cliente y el servidor. El atacante debe entonces manipular activamente el tráfico para llevar a cabo el ataque al proporcionar al cliente un certificado criptográficamente válido para un host no relacionado. Como el cliente envía datos de autenticación antes de llevar a cabo la verificación del nombre del host, un atacante podría acceder a los datos de autenticación del cliente. El cliente acaba cerrando la conexión cuando verifica el nombre de host e identifica que el nombre de host objetivo no coincide con un nombre de host en el certificado. Como el cliente acaba cerrando la conexión, el valor de los datos de autenticación interceptados depende del método de autenticación usado por el cliente. Los métodos de autenticación basados en tokens y de nombre de usuario/contraseña son vulnerables porque los datos de autenticación pueden usarse para suplantar al cliente en una sesión independiente. Este problema afecta a Apache Pulsar Java Client versiones 2.7.0 a 2.7.4; 2.8.0 a 2.8.3; 2.9.0 a 2.9.2; 2.10.0; 2.6.4 y anteriores.", }, ], id: "CVE-2022-33681", lastModified: "2024-11-21T07:08:19.030", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-23T10:15:10.243", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "security@apache.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-295", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-23 10:15
Modified
2024-11-21 07:08
Severity ?
Summary
TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx | Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "1329962E-1B1C-42B1-B3E3-B647B7D2749E", versionEndExcluding: "2.7.5", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "02284ABD-BFD3-4E2A-850A-CC12A7996E97", versionEndExcluding: "2.8.4", versionStartIncluding: "2.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "C1A2D87A-55FC-42C0-BB48-E2B5B07EE1CE", versionEndExcluding: "2.9.3", versionStartIncluding: "2.9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.10.0:-:*:*:*:*:*:*", matchCriteriaId: "C6E2F16D-CCDD-4DC8-9745-09EA2CD4D4DB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.", }, { lang: "es", value: "Una verificación del nombre de host TLS no puede habilitarse en Pulsar Brokers Java Client, Pulsar Brokers Java Admin Client, Pulsar WebSocket Proxys Java Client, Pulsar Proxys Admin Client, dejando las conexiones intra-clúster y las conexiones de geo-replicación vulnerables a ataques de tipo man in the middle, que podrían filtrar credenciales, datos de configuración, datos de mensajes y cualquier otro dato enviado por estos clientes. La vulnerabilidad es tanto para el protocolo pulsar+ssl como para HTTPS. Un atacante sólo puede aprovecharse de esta vulnerabilidad al tomar el control de una máquina \"entre\" el cliente y el servidor. El atacante debe entonces manipular activamente el tráfico para llevar a cabo el ataque al proporcionar al cliente un certificado criptográficamente válido para un host no relacionado. Este problema afecta a Apache Pulsar Broker, Proxy y WebSocket Proxy versiones 2.7.0 a 2.7.4; 2.8.0 a 2.8.3; 2.9.0 a 2.9.2; 2.10.0; 2.6.4 y anteriores.", }, ], id: "CVE-2022-33682", lastModified: "2024-11-21T07:08:19.170", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-23T10:15:10.297", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "security@apache.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-295", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-12 10:15
Modified
2024-11-21 08:00
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.
This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.
When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.
The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8 | Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "93203072-AF2C-4C1C-9185-709395C44315", versionEndExcluding: "2.10.4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*", matchCriteriaId: "8D3BCDDD-21DA-47B6-A8F4-76822E11662B", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:candidate_1:*:*:*:*:*:*", matchCriteriaId: "AB395C43-88B4-4DE3-8ADC-D276C86250D7", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:candidate_5:*:*:*:*:*:*", matchCriteriaId: "E90E85B9-B04D-4BCB-B7A8-7526C991F022", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.\n\nThis issue affects Apache Pulsar: before 2.10.4, and 2.11.0.\n\nWhen a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.\n\nThe recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.\n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.\n3.0 Pulsar Function Worker users are unaffected.\nAny users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.\n", }, ], id: "CVE-2023-30429", lastModified: "2024-11-21T08:00:10.013", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 5.8, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-12T10:15:09.937", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-03-12 19:15
Modified
2025-02-13 18:17
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/9 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-27135/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/9 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-27135/ | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "1CC67E07-21B9-485E-8169-0AD81B773690", versionEndExcluding: "2.10.6", versionStartIncluding: "2.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "5615177E-1EAD-4F00-8230-FE7C3B67A641", versionEndExcluding: "2.11.4", versionStartIncluding: "2.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "5EC9804F-D93F-41C5-963D-F42DA8779249", versionEndExcluding: "3.0.3", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "44F5BF49-6151-4A0E-BD7D-280CBB09A868", versionEndExcluding: "3.1.3", versionStartIncluding: "3.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*", matchCriteriaId: "13ECC4AD-98DF-4BEF-BFE5-6A8A701E0B05", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.", }, { lang: "es", value: "La validación de entrada incorrecta en Pulsar Function Worker permite que un usuario autenticado malicioso ejecute código Java arbitrario en Pulsar Function Worker, fuera de los entornos limitados designados para ejecutar funciones proporcionadas por el usuario. Esta vulnerabilidad también se aplica al Pulsar Broker cuando está configurado con \"functionsWorkerEnabled=true\". Este problema afecta a las versiones de Apache Pulsar de 2.4.0 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.11.4. Los usuarios de 3.0 Pulsar Function Worker deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones más nuevas.", }, ], id: "CVE-2024-27135", lastModified: "2025-02-13T18:17:19.870", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 6, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-03-12T19:15:47.567", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/9", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-27135/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-27135/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, { lang: "en", value: "CWE-913", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-03-12 19:15
Modified
2025-01-19 03:09
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.
This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and "additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/11 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-27894/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/11 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-27894/ | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "1CC67E07-21B9-485E-8169-0AD81B773690", versionEndExcluding: "2.10.6", versionStartIncluding: "2.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "5615177E-1EAD-4F00-8230-FE7C3B67A641", versionEndExcluding: "2.11.4", versionStartIncluding: "2.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "5EC9804F-D93F-41C5-963D-F42DA8779249", versionEndExcluding: "3.0.3", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "44F5BF49-6151-4A0E-BD7D-280CBB09A868", versionEndExcluding: "3.1.3", versionStartIncluding: "3.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*", matchCriteriaId: "13ECC4AD-98DF-4BEF-BFE5-6A8A701E0B05", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\nThis vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\n\nThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.", }, { lang: "es", value: "Pulsar Functions Worker incluye una capacidad que permite a los usuarios autenticados crear funciones donde se hace referencia a la implementación de la función mediante una URL. Los esquemas de URL admitidos incluyen \"archivo\", \"http\" y \"https\". Cuando se crea una función utilizando este método, Functions Worker recuperará la implementación de la URL proporcionada por el usuario. Sin embargo, esta característica introduce una vulnerabilidad que puede ser aprovechada por un atacante para obtener acceso no autorizado a cualquier archivo para el que el proceso Pulsar Functions Worker tenga permisos de lectura. Esto incluye la lectura del entorno del proceso, que potencialmente incluye información confidencial, como secretos. Además, un atacante podría aprovechar esta vulnerabilidad para utilizar Pulsar Functions Worker como proxy para acceder al contenido de las URL de endpoints HTTP y HTTPS remotos. Esto también podría usarse para llevar a cabo ataques de denegación de servicio. Esta vulnerabilidad también se aplica al Pulsar Broker cuando está configurado con \"functionsWorkerEnabled=true\". Este problema afecta a las versiones de Apache Pulsar de 2.4.0 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.11.4. Los usuarios de 3.0 Pulsar Function Worker deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones más nuevas. Las versiones actualizadas de Pulsar Functions Worker impondrán, de forma predeterminada, restricciones a la creación de funciones mediante URL. Para los usuarios que dependen de esta funcionalidad, la configuración de Function Worker proporciona dos claves de configuración: \"additionalEnabledConnectorUrlPatterns\" y \"additionalEnabledFunctionsUrlPatterns\". Estas claves permiten a los usuarios especificar un conjunto de patrones de URL permitidos, lo que permite la creación de funciones utilizando URL que coinciden con los patrones definidos. Este enfoque garantiza que la función permanezca disponible para quienes la requieren, al tiempo que limita el potencial de acceso y explotación no autorizados.", }, ], id: "CVE-2024-27894", lastModified: "2025-01-19T03:09:08.147", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 6, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-03-12T19:15:47.970", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/11", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-27894/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/11", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2024-27894/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, { lang: "en", value: "CWE-552", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-26 13:15
Modified
2024-11-21 05:49
Severity ?
Summary
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "A97EC45B-CE27-4BD1-9615-E71D4FD76A0C", versionEndExcluding: "2.7.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to \"none\". This allows an attacker to connect to Pulsar instances as any user (incl. admins).", }, { lang: "es", value: "Si Apache Pulsar está configurado para autenticar clientes utilizando tokens basados ??en JSON Web Tokens (JWT), la firma del token no es comprobada si el algoritmo del token presentado se establece en \"none\". Esto permite a un atacante conectarse a las instancias de Pulsar como cualquier usuario (incluidos los administradores)", }, ], id: "CVE-2021-22160", lastModified: "2024-11-21T05:49:37.470", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-26T13:15:07.697", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-347", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-11-04 12:15
Modified
2024-11-21 07:08
Severity ?
Summary
The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv | Issue Tracking, Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv | Issue Tracking, Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "1DC4ED3C-514F-4895-B0D8-1160207FA2AD", versionEndIncluding: "2.6.4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "E1D90423-FEF6-41F0-82D3-2FD7AF67006B", versionEndExcluding: "2.7.5", versionStartIncluding: "2.7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "02284ABD-BFD3-4E2A-850A-CC12A7996E97", versionEndExcluding: "2.8.4", versionStartIncluding: "2.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "C1A2D87A-55FC-42C0-BB48-E2B5B07EE1CE", versionEndExcluding: "2.9.3", versionStartIncluding: "2.9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "F2E6D308-6DCF-483F-966B-2E618CEC10BF", versionEndExcluding: "2.10.2", versionStartIncluding: "2.10.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.", }, { lang: "es", value: "El cliente Apache Pulsar C++ no verifica los certificados TLS de los peers al realizar llamadas HTTPS para el flujo de credenciales del cliente OAuth2.0, incluso cuando tlsAllowInsecureConnection está deshabilitado mediante la configuración. Esta vulnerabilidad permite a un atacante realizar un ataque intermediario e interceptar y/o modificar la solicitud GET que se envía a la 'URL del emisor' de ClientCredentialFlow. Las credenciales interceptadas se pueden utilizar para adquirir datos de autenticación del servidor OAuth2.0 para luego autenticarse con un clúster Apache Pulsar. Un atacante sólo puede aprovechar esta vulnerabilidad tomando el control de una máquina \"entre\" el cliente y el servidor. Luego, el atacante debe manipular activamente el tráfico para realizar el ataque. El cliente Apache Pulsar Python envuelve el cliente C++, por lo que también es vulnerable de la misma manera. Este problema afecta a las versiones 2.7.0 a 2.7.4 del cliente Apache Pulsar C++ y del cliente Python; 2.8.0 a 2.8.3; 2.9.0 a 2.9.2; 2.10.0 a 2.10.1; 2.6.4 y anteriores. Cualquier usuario que ejecute versiones afectadas del Cliente C++ o del Cliente Python debe rotar las credenciales OAuth2.0 vulnerables, incluidas client_id y client_secret. Los usuarios de 2.7 C++ y Python Client deben actualizar a 2.7.5 y rotar las credenciales vulnerables de OAuth2.0. Los usuarios de 2.8 C++ y Python Client deben actualizar a 2.8.4 y rotar las credenciales vulnerables de OAuth2.0. Los usuarios de 2.9 C++ y Python Client deben actualizar a 2.9.3 y rotar las credenciales vulnerables de OAuth2.0. Los usuarios de 2.10 C++ y Python Client deben actualizar a 2.10.2 y rotar las credenciales vulnerables de OAuth2.0. Los usuarios de 3.0 C++ no se ven afectados y los usuarios de 3.0 Python Client no se verán afectados cuando se lance. Cualquier usuario que ejecute C++ y Python Client para 2.6 o menos debe actualizar a una de las versiones parcheadas anteriores.", }, ], id: "CVE-2022-33684", lastModified: "2024-11-21T07:08:19.443", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-11-04T12:15:13.123", references: [ { source: "security@apache.org", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f", }, { source: "security@apache.org", tags: [ "Issue Tracking", "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "security@apache.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-295", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-12-20 09:15
Modified
2024-11-21 08:11
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.
This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.
The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.
2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.
2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.
3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.
3.1 Pulsar WebSocket Proxy users are unaffected.
Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "D512CD7B-D493-491E-A6C5-879E81251897", versionEndExcluding: "2.10.5", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "0ECAEE42-ADBE-40B3-BD33-3C7D2006C2C5", versionEndExcluding: "2.11.2", versionStartIncluding: "2.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B50CF4D0-189C-404B-9906-04E7BB94B574", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.\n\nThis issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.\n\nThe known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.\n\n2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\n2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\n3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\n3.1 Pulsar WebSocket Proxy users are unaffected.\nAny users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.", }, { lang: "es", value: "Vulnerabilidad de autenticación incorrecta en Apache Pulsar WebSocket Proxy permite a un atacante conectarse al endpoint /pingpong sin autenticación. Este problema afecta a Apache Pulsar WebSocket Proxy: desde 2.8.0 hasta 2.8.*, desde 2.9.0 hasta 2.9.*, desde 2.10.0 hasta 2.10.4, desde 2.11.0 hasta 2.11.1, 3.0.0. Los riesgos conocidos incluyen una denegación de servicio debido a que WebSocket Proxy acepta cualquier conexión y una transferencia excesiva de datos debido al mal uso de la función de ping/pong de WebSocket. 2.10 Los usuarios de Pulsar WebSocket Proxy deben actualizar al menos a 2.10.5. 2.11 Los usuarios de Pulsar WebSocket Proxy deben actualizar al menos a 2.11.2. 3.0 Los usuarios de Pulsar WebSocket Proxy deben actualizar al menos a 3.0.1. 3.1 Los usuarios de Pulsar WebSocket Proxy no se ven afectados. Cualquier usuario que ejecute Pulsar WebSocket Proxy para 2.8, 2.9 y versiones anteriores debe actualizar a una de las versiones parcheadas anteriores.", }, ], id: "CVE-2023-37544", lastModified: "2024-11-21T08:11:54.283", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-12-20T09:15:07.007", references: [ { source: "security@apache.org", tags: [ "Mailing List", ], url: "http://www.openwall.com/lists/oss-security/2023/12/20/2", }, { source: "security@apache.org", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "http://www.openwall.com/lists/oss-security/2023/12/20/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-23 10:15
Modified
2024-11-21 07:08
Severity ?
Summary
Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x | Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "1329962E-1B1C-42B1-B3E3-B647B7D2749E", versionEndExcluding: "2.7.5", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "02284ABD-BFD3-4E2A-850A-CC12A7996E97", versionEndExcluding: "2.8.4", versionStartIncluding: "2.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "C1A2D87A-55FC-42C0-BB48-E2B5B07EE1CE", versionEndExcluding: "2.9.3", versionStartIncluding: "2.9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.10.0:-:*:*:*:*:*:*", matchCriteriaId: "C6E2F16D-CCDD-4DC8-9745-09EA2CD4D4DB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.", }, { lang: "es", value: "Apache Pulsar Brokers and Proxies crean un Pulsar Admin Client interno que no verifica los certificados TLS de los compañeros, incluso cuando tlsAllowInsecureConnection está deshabilitado por medio de la configuración. Las conexiones HTTPS intra-clúster y de geo-replicación del Pulsar Admin Client son vulnerables a ataques de tipo man in the middle, que podrían filtrar datos de autenticación, datos de configuración y cualquier otro dato enviado por estos clientes. Un atacante sólo puede aprovecharse de esta vulnerabilidad al tomar el control de una máquina \"entre\" el cliente y el servidor. El atacante debe entonces manipular activamente el tráfico para llevar a cabo el ataque. Este problema afecta a Apache Pulsar Broker y Proxy versiones 2.7.0 a 2.7.4; 2.8.0 a 2.8.3; 2.9.0 a 2.9.2; 2.10.0; 2.6.4 y anteriores.", }, ], id: "CVE-2022-33683", lastModified: "2024-11-21T07:08:19.320", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-23T10:15:10.353", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "security@apache.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-295", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-12 10:15
Modified
2024-11-21 08:00
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role.
This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10.0 before 2.10.4, 2.11.0.
The vulnerability is exploitable when an attacker can connect directly to the Pulsar Broker. If an attacker is connecting through the Pulsar Proxy, there is no known way to exploit this authorization vulnerability.
There are two known risks for affected users. First, an attacker could produce garbage messages to any topic in the cluster. Second, an attacker could produce messages to the topic level policies topic for other tenants and influence topic settings that could lead to exfiltration and/or deletion of messages for other tenants.
2.8 Pulsar Broker users and earlier are unaffected.
2.9 Pulsar Broker users should upgrade to one of the patched versions.
2.10 Pulsar Broker users should upgrade to at least 2.10.4.
2.11 Pulsar Broker users should upgrade to at least 2.11.1.
3.0 Pulsar Broker users are unaffected.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5 | Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "C219C70D-774B-4E29-90DF-CB14D7AAE6FB", versionEndIncluding: "2.9.5", versionStartIncluding: "2.9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "6E8AD5B6-4685-4C1F-912A-37D4956B077F", versionEndExcluding: "2.10.4", versionStartIncluding: "2.10.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*", matchCriteriaId: "8D3BCDDD-21DA-47B6-A8F4-76822E11662B", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:candidate_1:*:*:*:*:*:*", matchCriteriaId: "AB395C43-88B4-4DE3-8ADC-D276C86250D7", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:candidate_5:*:*:*:*:*:*", matchCriteriaId: "E90E85B9-B04D-4BCB-B7A8-7526C991F022", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role.\nThis issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10.0 before 2.10.4, 2.11.0.\n\nThe vulnerability is exploitable when an attacker can connect directly to the Pulsar Broker. If an attacker is connecting through the Pulsar Proxy, there is no known way to exploit this authorization vulnerability.\n\nThere are two known risks for affected users. First, an attacker could produce garbage messages to any topic in the cluster. Second, an attacker could produce messages to the topic level policies topic for other tenants and influence topic settings that could lead to exfiltration and/or deletion of messages for other tenants.\n\n2.8 Pulsar Broker users and earlier are unaffected.\n2.9 Pulsar Broker users should upgrade to one of the patched versions.\n2.10 Pulsar Broker users should upgrade to at least 2.10.4.\n2.11 Pulsar Broker users should upgrade to at least 2.11.1.\n3.0 Pulsar Broker users are unaffected.\n\n", }, ], id: "CVE-2023-30428", lastModified: "2024-11-21T08:00:09.863", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.8, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-12T10:15:09.853", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-12 10:15
Modified
2024-11-21 08:01
Severity ?
0.0 (None) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.
This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.
2.9 Pulsar Broker users should upgrade to at least 2.9.5.
2.10 Pulsar Broker users should upgrade to at least 2.10.4.
2.11 Pulsar Broker users should upgrade to at least 2.11.1.
3.0 Pulsar Broker users are unaffected.
Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj | Mailing List, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "575C3B42-8D3E-492F-B7AB-8EEBCEF74B97", versionEndExcluding: "2.9.5", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "CD068741-3004-4367-A620-701FCB9CF1AD", versionEndIncluding: "2.10.3", versionStartIncluding: "2.10.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*", matchCriteriaId: "8D3BCDDD-21DA-47B6-A8F4-76822E11662B", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:candidate_1:*:*:*:*:*:*", matchCriteriaId: "AB395C43-88B4-4DE3-8ADC-D276C86250D7", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:2.11.0:candidate_5:*:*:*:*:*:*", matchCriteriaId: "E90E85B9-B04D-4BCB-B7A8-7526C991F022", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.\n\nThis issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.\n\n2.9 Pulsar Broker users should upgrade to at least 2.9.5.\n2.10 Pulsar Broker users should upgrade to at least 2.10.4.\n2.11 Pulsar Broker users should upgrade to at least 2.11.1.\n3.0 Pulsar Broker users are unaffected.\nAny users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.\n", }, ], id: "CVE-2023-31007", lastModified: "2024-11-21T08:01:13.920", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 0, baseSeverity: "NONE", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 0, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-12T10:15:10.013", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-07 10:15
Modified
2024-11-21 08:38
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.
Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.
Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.
2.11 Pulsar users should upgrade to at least 2.11.3.
3.0 Pulsar users should upgrade to at least 3.0.2.
3.1 Pulsar users should upgrade to at least 3.1.1.
Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.
For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "1DA223E6-F59D-4BB5-971A-1CC1914C70E4", versionEndIncluding: "2.10.5", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "CDA5C2BD-D15D-40F8-8418-8382248881E3", versionEndExcluding: "2.11.3", versionStartIncluding: "2.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "F07DBEFA-B9F0-4497-B85A-41C753961E70", versionEndExcluding: "3.0.2", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*", matchCriteriaId: "447E0901-B5CA-42BE-B894-41E158B123AD", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:3.1.0:candidate_1:*:*:*:*:*:*", matchCriteriaId: "BA3F2622-FDD4-48B9-81E3-6BE8B553F77C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.\nUsers are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.\n\nAny component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.\n\n2.11 Pulsar users should upgrade to at least 2.11.3.\n3.0 Pulsar users should upgrade to at least 3.0.2.\n3.1 Pulsar users should upgrade to at least 3.1.1.\nAny users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\n\nFor additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .\n\n", }, { lang: "es", value: "Una vulnerabilidad de discrepancia de tiempo observable en Apache Pulsar SASL Authentication Provider puede permitir a un atacante falsificar un token de función SASL que pasará la verificación de firma. Se recomienda a los usuarios actualizar a la versión 2.11.3, 3.0.2 o 3.1.1, que soluciona el problema. Los usuarios también deberían considerar actualizar el secreto configurado en el archivo `saslJaasServerRoleTokenSignerSecretPath`. Cualquier componente que coincida con una versión anterior que ejecute el proveedor de autenticación SASL se verá afectado. Eso incluye Pulsar Broker, Proxy, Websocket Proxy o Function Worker. 2.11 Los usuarios de Pulsar deben actualizar al menos a 2.11.3. Los usuarios de Pulsar 3.0 deben actualizar al menos a 3.0.2. 3.1 Los usuarios de Pulsar deben actualizar al menos a 3.1.1. Cualquier usuario que ejecute Pulsar 2.8, 2.9, 2.10 y versiones anteriores debe actualizar a una de las versiones parcheadas anteriores. Para obtener detalles adicionales sobre este vector de ataque, consulte https://codahale.com/a-lesson-in-timing-attacks/.", }, ], id: "CVE-2023-51437", lastModified: "2024-11-21T08:38:06.947", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.2, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-07T10:15:08.137", references: [ { source: "security@apache.org", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5", }, { source: "security@apache.org", url: "https://www.openwall.com/lists/oss-security/2024/02/07/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.openwall.com/lists/oss-security/2024/02/07/1", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-203", }, ], source: "security@apache.org", type: "Primary", }, { description: [ { lang: "en", value: "CWE-203", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2024-03-12 19:15
Modified
2025-01-22 17:59
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.
This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.
The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to "Cluster" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren't known to be exposed.
2.10 Pulsar Proxy users should upgrade to at least 2.10.6.
2.11 Pulsar Proxy users should upgrade to at least 2.11.3.
3.0 Pulsar Proxy users should upgrade to at least 3.0.2.
3.1 Pulsar Proxy users should upgrade to at least 3.1.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/8 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8 | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2022-34321/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/8 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2022-34321/ | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "0DEE7013-A1A8-4DE5-A4EF-BED97EF3A7FE", versionEndExcluding: "2.10.6", versionStartIncluding: "2.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "CDA5C2BD-D15D-40F8-8418-8382248881E3", versionEndExcluding: "2.11.3", versionStartIncluding: "2.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*", matchCriteriaId: "F07DBEFA-B9F0-4497-B85A-41C753961E70", versionEndExcluding: "3.0.2", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*", matchCriteriaId: "447E0901-B5CA-42BE-B894-41E158B123AD", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.\n\nThis issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.\n\nThe known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to \"Cluster\" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren't known to be exposed.\n\n2.10 Pulsar Proxy users should upgrade to at least 2.10.6.\n2.11 Pulsar Proxy users should upgrade to at least 2.11.3.\n3.0 Pulsar Proxy users should upgrade to at least 3.0.2.\n3.1 Pulsar Proxy users should upgrade to at least 3.1.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.", }, { lang: "es", value: "Una vulnerabilidad de autenticación incorrecta en Apache Pulsar Proxy permite a un atacante conectarse al endpoint /proxy-stats sin autenticación. El endpoint vulnerable expone estadísticas detalladas sobre conexiones activas, junto con la capacidad de modificar el nivel de registro de conexiones proxy sin requerir credenciales de autenticación adecuadas. Este problema afecta a las versiones de Apache Pulsar de 2.6.0 a 2.10.5, de 2.11.0 a 2.11.2, de 3.0.0 a 3.0.1 y 3.1.0. Los riesgos conocidos incluyen la exposición de información confidencial, como la IP del cliente conectado, y la manipulación no autorizada del nivel de registro, lo que podría conducir a una condición de denegación de servicio al aumentar significativamente la sobrecarga de registro del proxy. Cuando se implementa a través del gráfico Apache Pulsar Helm dentro de entornos de Kubernetes, es posible que la IP real del cliente no se revele a través del comportamiento predeterminado del balanceador de carga, que normalmente oscurece las direcciones IP de origen originales cuando externalTrafficPolicy se configura en \"Clúster\" de forma predeterminada. El endpoint /proxy-stats contiene estadísticas a nivel de tema; sin embargo, en la configuración predeterminada, no se sabe que las estadísticas a nivel de tema estén expuestas. 2.10 Los usuarios de Pulsar Proxy deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Proxy deben actualizar al menos a 2.11.3. Los usuarios de Pulsar Proxy 3.0 deben actualizar al menos a 3.0.2. 3.1 Los usuarios de Pulsar Proxy deben actualizar al menos a 3.1.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones más nuevas. Además, es imperativo reconocer que Apache Pulsar Proxy no está manipulado para exposición directa a Internet. El diseño arquitectónico de Pulsar Proxy supone que funcionará dentro de un entorno de red seguro, salvaguardado por defensas perimetrales adecuadas.", }, ], id: "CVE-2022-34321", lastModified: "2025-01-22T17:59:49.280", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4.2, source: "security@apache.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-03-12T19:15:47.303", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/8", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2022-34321/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/12/8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://pulsar.apache.org/security/CVE-2022-34321/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-306", }, ], source: "security@apache.org", type: "Primary", }, ], }