Search criteria
60 vulnerabilities found for pulsar by apache
FKIE_CVE-2025-30677
Vulnerability from fkie_nvd - Published: 2025-04-09 12:15 - Updated: 2025-07-15 19:15
Severity ?
Summary
Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.
This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.
This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.
3.0.x version users should upgrade to at least 3.0.11.
3.3.x version users should upgrade to at least 3.3.6.
4.0.x version users should upgrade to at least 4.0.4.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d | Mailing List, Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/04/09/2 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67B90A7D-A5DA-4CA6-8FAD-95B56693FB49",
"versionEndExcluding": "3.0.11",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "689CD007-FC77-4F5D-A6EF-344BEFD4E3A9",
"versionEndExcluding": "3.3.6",
"versionStartIncluding": "3.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B465449A-7F8D-49F2-AE8A-067D1C8A23D3",
"versionEndExcluding": "4.0.4",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.\n\n\nThis vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability\u0027s impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.\n\nThis issue affects Apache Pulsar IO\u0027s Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.\n\n\n3.0.x version users should upgrade to at least 3.0.11.\n\n3.3.x version users should upgrade to at least 3.3.6.\n\n4.0.x version users should upgrade to at least 4.0.4.\n\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
},
{
"lang": "es",
"value": "Apache Pulsar contiene m\u00faltiples conectores para la integraci\u00f3n con Apache Kafka. Los conectores de origen, receptor y receptor del adaptador Kafka Connect de Pulsar IO registran propiedades de configuraci\u00f3n sensibles en texto plano en los registros de la aplicaci\u00f3n. Esta vulnerabilidad puede provocar la exposici\u00f3n involuntaria de credenciales en los archivos de registro, lo que podr\u00eda permitir a atacantes con acceso a estos registros obtener credenciales de Apache Kafka. El impacto de la vulnerabilidad es limitado debido a que un atacante necesitar\u00eda acceder a los registros de la aplicaci\u00f3n para explotar este problema. Este problema afecta a los conectores de Apache Kafka de Apache Pulsar IO en todas las versiones anteriores a la 3.0.11, 3.3.6 y 4.0.4. Los usuarios de la versi\u00f3n 3.0.x deben actualizar al menos a la 3.0.11. Los usuarios de la versi\u00f3n 3.3.x deben actualizar al menos a la 3.3.6. Los usuarios de la versi\u00f3n 4.0.x deben actualizar al menos a la 4.0.4. Los usuarios de versiones anteriores a las mencionadas anteriormente deben actualizar a las versiones parcheadas mencionadas o a versiones m\u00e1s recientes."
}
],
"id": "CVE-2025-30677",
"lastModified": "2025-07-15T19:15:05.073",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@apache.org",
"type": "Secondary"
}
]
},
"published": "2025-04-09T12:15:15.363",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/04/09/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-29834
Vulnerability from fkie_nvd - Published: 2024-04-02 20:15 - Updated: 2025-01-24 16:21
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Summary
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1.
3.0 Apache Pulsar users should upgrade to at least 3.0.4.
3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/04/02/2 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5 | Mailing List, Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-29834/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/04/02/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-29834/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F72E981-1033-4288-B32A-D8BA23842F0A",
"versionEndIncluding": "2.10.6",
"versionStartIncluding": "2.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA0ADBDB-CBD3-465A-8A24-CA20BE0F2965",
"versionEndIncluding": "2.11.4",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "39CB0C2C-FFA0-47AD-AE95-33EDCD69D747",
"versionEndExcluding": "3.0.4",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B345AA3-0ACC-4953-B214-F505CDB077F6",
"versionEndIncluding": "3.1.3",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92141F66-6615-4D09-9CD1-FB2341B7194E",
"versionEndExcluding": "3.2.2",
"versionStartIncluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. \n\n3.0 Apache Pulsar users should upgrade to at least 3.0.4.\n3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
},
{
"lang": "es",
"value": "Esta vulnerabilidad permite a los usuarios autenticados con permisos de producci\u00f3n o consumo realizar operaciones no autorizadas en temas particionados, como descargar temas y activar la compactaci\u00f3n. Estas operaciones de administraci\u00f3n deben restringirse a los usuarios con la funci\u00f3n de administrador de inquilinos o la funci\u00f3n de superusuario. Un usuario autenticado con permiso de producci\u00f3n puede crear suscripciones y actualizar propiedades de suscripci\u00f3n en temas particionados, aunque esto deber\u00eda limitarse a usuarios con permisos de consumo. Este an\u00e1lisis de impacto supone que Pulsar se ha configurado con el proveedor de autorizaci\u00f3n predeterminado. Para los proveedores de autorizaciones personalizadas, el impacto podr\u00eda ser ligeramente diferente. Adem\u00e1s, la vulnerabilidad permite a un usuario autenticado leer, crear, modificar y eliminar propiedades de espacio de nombres en cualquier espacio de nombres de cualquier inquilino. En Pulsar, las propiedades del espacio de nombres est\u00e1n reservadas para los metadatos proporcionados por el usuario sobre el espacio de nombres. Este problema afecta a las versiones de Apache Pulsar de 2.7.1 a 2.10.6, de 2.11.0 a 2.11.4, de 3.0.0 a 3.0.3, de 3.1.0 a 3.1.3 y de 3.2.0 a 3.2. 1. Los usuarios de Apache Pulsar 3.0 deben actualizar al menos a 3.0.4. Los usuarios de Apache Pulsar 3.1 y 3.2 deben actualizar al menos a 3.2.2. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones m\u00e1s nuevas."
}
],
"id": "CVE-2024-29834",
"lastModified": "2025-01-24T16:21:24.170",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-02T20:15:09.607",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/02/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-29834/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-29834/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2024-28098
Vulnerability from fkie_nvd - Published: 2024-03-12 19:15 - Updated: 2025-02-13 18:17
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Apache Pulsar users should upgrade to at least 2.10.6.
2.11 Apache Pulsar users should upgrade to at least 2.11.4.
3.0 Apache Pulsar users should upgrade to at least 3.0.3.
3.1 Apache Pulsar users should upgrade to at least 3.1.3.
3.2 Apache Pulsar users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/12 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-28098/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/12 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-28098/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95759762-9E34-4ACF-8BD3-2609CB2EC397",
"versionEndExcluding": "2.10.6",
"versionStartIncluding": "2.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5615177E-1EAD-4F00-8230-FE7C3B67A641",
"versionEndExcluding": "2.11.4",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EC9804F-D93F-41C5-963D-F42DA8779249",
"versionEndExcluding": "3.0.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44F5BF49-6151-4A0E-BD7D-280CBB09A868",
"versionEndExcluding": "3.1.3",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "13ECC4AD-98DF-4BEF-BFE5-6A8A701E0B05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Apache Pulsar users should upgrade to at least 2.10.6.\n2.11 Apache Pulsar users should upgrade to at least 2.11.4.\n3.0 Apache Pulsar users should upgrade to at least 3.0.3.\n3.1 Apache Pulsar users should upgrade to at least 3.1.3.\n3.2 Apache Pulsar users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
},
{
"lang": "es",
"value": "La vulnerabilidad permite a los usuarios autenticados con permisos solo de producci\u00f3n o consumo modificar pol\u00edticas a nivel de tema, como retenci\u00f3n, TTL y configuraciones de descarga. Estas operaciones de administraci\u00f3n deben restringirse a usuarios con la funci\u00f3n de administrador de inquilinos o la funci\u00f3n de superusuario. Este problema afecta a las versiones de Apache Pulsar de 2.7.1 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Apache Pulsar deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Apache Pulsar deben actualizar al menos a 2.11.4. Los usuarios de Apache Pulsar 3.0 deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Apache Pulsar deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Apache Pulsar deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones m\u00e1s nuevas."
}
],
"id": "CVE-2024-28098",
"lastModified": "2025-02-13T18:17:46.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-12T19:15:48.177",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/12"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-28098/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-28098/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2024-27317
Vulnerability from fkie_nvd - Published: 2024-03-12 19:15 - Updated: 2025-01-19 03:23
Severity ?
8.4 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like "..", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/10 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-27317/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/10 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-27317/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1CC67E07-21B9-485E-8169-0AD81B773690",
"versionEndExcluding": "2.10.6",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5615177E-1EAD-4F00-8230-FE7C3B67A641",
"versionEndExcluding": "2.11.4",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EC9804F-D93F-41C5-963D-F42DA8779249",
"versionEndExcluding": "3.0.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44F5BF49-6151-4A0E-BD7D-280CBB09A868",
"versionEndExcluding": "3.1.3",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "13ECC4AD-98DF-4BEF-BFE5-6A8A701E0B05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren\u0027t properly validated, contain special elements like \"..\", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
},
{
"lang": "es",
"value": "En Pulsar Functions Worker, los usuarios autenticados pueden cargar funciones en archivos jar o nar. Estos archivos, esencialmente archivos zip, son extra\u00eddos por Functions Worker. Sin embargo, si se carga un archivo malicioso, podr\u00eda aprovechar una vulnerabilidad de cruce de directorio. Esto ocurre cuando los nombres de los archivos zip, que no est\u00e1n validados correctamente, contienen elementos especiales como \"..\", alterando la ruta del directorio. Esto podr\u00eda permitir a un atacante crear o modificar archivos fuera del directorio de extracci\u00f3n designado, lo que podr\u00eda influir en el comportamiento del sistema. Esta vulnerabilidad tambi\u00e9n se aplica al Pulsar Broker cuando est\u00e1 configurado con \"functionsWorkerEnabled=true\". Este problema afecta a las versiones de Apache Pulsar de 2.4.0 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.11.4. Los usuarios de 3.0 Pulsar Function Worker deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones m\u00e1s nuevas."
}
],
"id": "CVE-2024-27317",
"lastModified": "2025-01-19T03:23:26.087",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-12T19:15:47.777",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/10"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27317/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27317/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2022-34321
Vulnerability from fkie_nvd - Published: 2024-03-12 19:15 - Updated: 2025-01-22 17:59
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.
This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.
The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to "Cluster" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren't known to be exposed.
2.10 Pulsar Proxy users should upgrade to at least 2.10.6.
2.11 Pulsar Proxy users should upgrade to at least 2.11.3.
3.0 Pulsar Proxy users should upgrade to at least 3.0.2.
3.1 Pulsar Proxy users should upgrade to at least 3.1.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/8 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8 | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2022-34321/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/8 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2022-34321/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0DEE7013-A1A8-4DE5-A4EF-BED97EF3A7FE",
"versionEndExcluding": "2.10.6",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA5C2BD-D15D-40F8-8418-8382248881E3",
"versionEndExcluding": "2.11.3",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F07DBEFA-B9F0-4497-B85A-41C753961E70",
"versionEndExcluding": "3.0.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "447E0901-B5CA-42BE-B894-41E158B123AD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.\n\nThis issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.\n\nThe known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy\u0027s logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer\u0027s default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to \"Cluster\" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren\u0027t known to be exposed.\n\n2.10 Pulsar Proxy users should upgrade to at least 2.10.6.\n2.11 Pulsar Proxy users should upgrade to at least 2.11.3.\n3.0 Pulsar Proxy users should upgrade to at least 3.0.2.\n3.1 Pulsar Proxy users should upgrade to at least 3.1.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it\u0027s imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses."
},
{
"lang": "es",
"value": "Una vulnerabilidad de autenticaci\u00f3n incorrecta en Apache Pulsar Proxy permite a un atacante conectarse al endpoint /proxy-stats sin autenticaci\u00f3n. El endpoint vulnerable expone estad\u00edsticas detalladas sobre conexiones activas, junto con la capacidad de modificar el nivel de registro de conexiones proxy sin requerir credenciales de autenticaci\u00f3n adecuadas. Este problema afecta a las versiones de Apache Pulsar de 2.6.0 a 2.10.5, de 2.11.0 a 2.11.2, de 3.0.0 a 3.0.1 y 3.1.0. Los riesgos conocidos incluyen la exposici\u00f3n de informaci\u00f3n confidencial, como la IP del cliente conectado, y la manipulaci\u00f3n no autorizada del nivel de registro, lo que podr\u00eda conducir a una condici\u00f3n de denegaci\u00f3n de servicio al aumentar significativamente la sobrecarga de registro del proxy. Cuando se implementa a trav\u00e9s del gr\u00e1fico Apache Pulsar Helm dentro de entornos de Kubernetes, es posible que la IP real del cliente no se revele a trav\u00e9s del comportamiento predeterminado del balanceador de carga, que normalmente oscurece las direcciones IP de origen originales cuando externalTrafficPolicy se configura en \"Cl\u00faster\" de forma predeterminada. El endpoint /proxy-stats contiene estad\u00edsticas a nivel de tema; sin embargo, en la configuraci\u00f3n predeterminada, no se sabe que las estad\u00edsticas a nivel de tema est\u00e9n expuestas. 2.10 Los usuarios de Pulsar Proxy deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Proxy deben actualizar al menos a 2.11.3. Los usuarios de Pulsar Proxy 3.0 deben actualizar al menos a 3.0.2. 3.1 Los usuarios de Pulsar Proxy deben actualizar al menos a 3.1.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones m\u00e1s nuevas. Adem\u00e1s, es imperativo reconocer que Apache Pulsar Proxy no est\u00e1 manipulado para exposici\u00f3n directa a Internet. El dise\u00f1o arquitect\u00f3nico de Pulsar Proxy supone que funcionar\u00e1 dentro de un entorno de red seguro, salvaguardado por defensas perimetrales adecuadas."
}
],
"id": "CVE-2022-34321",
"lastModified": "2025-01-22T17:59:49.280",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-12T19:15:47.303",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/8"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2022-34321/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2022-34321/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2024-27135
Vulnerability from fkie_nvd - Published: 2024-03-12 19:15 - Updated: 2025-02-13 18:17
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/9 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-27135/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/9 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-27135/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1CC67E07-21B9-485E-8169-0AD81B773690",
"versionEndExcluding": "2.10.6",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5615177E-1EAD-4F00-8230-FE7C3B67A641",
"versionEndExcluding": "2.11.4",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EC9804F-D93F-41C5-963D-F42DA8779249",
"versionEndExcluding": "3.0.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44F5BF49-6151-4A0E-BD7D-280CBB09A868",
"versionEndExcluding": "3.1.3",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "13ECC4AD-98DF-4BEF-BFE5-6A8A701E0B05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
},
{
"lang": "es",
"value": "La validaci\u00f3n de entrada incorrecta en Pulsar Function Worker permite que un usuario autenticado malicioso ejecute c\u00f3digo Java arbitrario en Pulsar Function Worker, fuera de los entornos limitados designados para ejecutar funciones proporcionadas por el usuario. Esta vulnerabilidad tambi\u00e9n se aplica al Pulsar Broker cuando est\u00e1 configurado con \"functionsWorkerEnabled=true\". Este problema afecta a las versiones de Apache Pulsar de 2.4.0 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.11.4. Los usuarios de 3.0 Pulsar Function Worker deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones m\u00e1s nuevas."
}
],
"id": "CVE-2024-27135",
"lastModified": "2025-02-13T18:17:19.870",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-12T19:15:47.567",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/9"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27135/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27135/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-913"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2024-27894
Vulnerability from fkie_nvd - Published: 2024-03-12 19:15 - Updated: 2025-01-19 03:09
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.
This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and "additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/12/11 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p | Vendor Advisory | |
| security@apache.org | https://pulsar.apache.org/security/CVE-2024-27894/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/12/11 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pulsar.apache.org/security/CVE-2024-27894/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1CC67E07-21B9-485E-8169-0AD81B773690",
"versionEndExcluding": "2.10.6",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5615177E-1EAD-4F00-8230-FE7C3B67A641",
"versionEndExcluding": "2.11.4",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EC9804F-D93F-41C5-963D-F42DA8779249",
"versionEndExcluding": "3.0.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44F5BF49-6151-4A0E-BD7D-280CBB09A868",
"versionEndExcluding": "3.1.3",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "13ECC4AD-98DF-4BEF-BFE5-6A8A701E0B05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function\u0027s implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\nThis vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\n\nThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation."
},
{
"lang": "es",
"value": "Pulsar Functions Worker incluye una capacidad que permite a los usuarios autenticados crear funciones donde se hace referencia a la implementaci\u00f3n de la funci\u00f3n mediante una URL. Los esquemas de URL admitidos incluyen \"archivo\", \"http\" y \"https\". Cuando se crea una funci\u00f3n utilizando este m\u00e9todo, Functions Worker recuperar\u00e1 la implementaci\u00f3n de la URL proporcionada por el usuario. Sin embargo, esta caracter\u00edstica introduce una vulnerabilidad que puede ser aprovechada por un atacante para obtener acceso no autorizado a cualquier archivo para el que el proceso Pulsar Functions Worker tenga permisos de lectura. Esto incluye la lectura del entorno del proceso, que potencialmente incluye informaci\u00f3n confidencial, como secretos. Adem\u00e1s, un atacante podr\u00eda aprovechar esta vulnerabilidad para utilizar Pulsar Functions Worker como proxy para acceder al contenido de las URL de endpoints HTTP y HTTPS remotos. Esto tambi\u00e9n podr\u00eda usarse para llevar a cabo ataques de denegaci\u00f3n de servicio. Esta vulnerabilidad tambi\u00e9n se aplica al Pulsar Broker cuando est\u00e1 configurado con \"functionsWorkerEnabled=true\". Este problema afecta a las versiones de Apache Pulsar de 2.4.0 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.11.4. Los usuarios de 3.0 Pulsar Function Worker deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones m\u00e1s nuevas. Las versiones actualizadas de Pulsar Functions Worker impondr\u00e1n, de forma predeterminada, restricciones a la creaci\u00f3n de funciones mediante URL. Para los usuarios que dependen de esta funcionalidad, la configuraci\u00f3n de Function Worker proporciona dos claves de configuraci\u00f3n: \"additionalEnabledConnectorUrlPatterns\" y \"additionalEnabledFunctionsUrlPatterns\". Estas claves permiten a los usuarios especificar un conjunto de patrones de URL permitidos, lo que permite la creaci\u00f3n de funciones utilizando URL que coinciden con los patrones definidos. Este enfoque garantiza que la funci\u00f3n permanezca disponible para quienes la requieren, al tiempo que limita el potencial de acceso y explotaci\u00f3n no autorizados."
}
],
"id": "CVE-2024-27894",
"lastModified": "2025-01-19T03:09:08.147",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-12T19:15:47.970",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/11"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27894/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27894/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2023-51437
Vulnerability from fkie_nvd - Published: 2024-02-07 10:15 - Updated: 2024-11-21 08:38
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.
Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.
Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.
2.11 Pulsar users should upgrade to at least 2.11.3.
3.0 Pulsar users should upgrade to at least 3.0.2.
3.1 Pulsar users should upgrade to at least 3.1.1.
Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.
For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1DA223E6-F59D-4BB5-971A-1CC1914C70E4",
"versionEndIncluding": "2.10.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA5C2BD-D15D-40F8-8418-8382248881E3",
"versionEndExcluding": "2.11.3",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F07DBEFA-B9F0-4497-B85A-41C753961E70",
"versionEndExcluding": "3.0.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "447E0901-B5CA-42BE-B894-41E158B123AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:3.1.0:candidate_1:*:*:*:*:*:*",
"matchCriteriaId": "BA3F2622-FDD4-48B9-81E3-6BE8B553F77C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.\nUsers are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.\n\nAny component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.\n\n2.11 Pulsar users should upgrade to at least 2.11.3.\n3.0 Pulsar users should upgrade to at least 3.0.2.\n3.1 Pulsar users should upgrade to at least 3.1.1.\nAny users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\n\nFor additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .\n\n"
},
{
"lang": "es",
"value": "Una vulnerabilidad de discrepancia de tiempo observable en Apache Pulsar SASL Authentication Provider puede permitir a un atacante falsificar un token de funci\u00f3n SASL que pasar\u00e1 la verificaci\u00f3n de firma. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.11.3, 3.0.2 o 3.1.1, que soluciona el problema. Los usuarios tambi\u00e9n deber\u00edan considerar actualizar el secreto configurado en el archivo `saslJaasServerRoleTokenSignerSecretPath`. Cualquier componente que coincida con una versi\u00f3n anterior que ejecute el proveedor de autenticaci\u00f3n SASL se ver\u00e1 afectado. Eso incluye Pulsar Broker, Proxy, Websocket Proxy o Function Worker. 2.11 Los usuarios de Pulsar deben actualizar al menos a 2.11.3. Los usuarios de Pulsar 3.0 deben actualizar al menos a 3.0.2. 3.1 Los usuarios de Pulsar deben actualizar al menos a 3.1.1. Cualquier usuario que ejecute Pulsar 2.8, 2.9, 2.10 y versiones anteriores debe actualizar a una de las versiones parcheadas anteriores. Para obtener detalles adicionales sobre este vector de ataque, consulte https://codahale.com/a-lesson-in-timing-attacks/."
}
],
"id": "CVE-2023-51437",
"lastModified": "2024-11-21T08:38:06.947",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-07T10:15:08.137",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5"
},
{
"source": "security@apache.org",
"url": "https://www.openwall.com/lists/oss-security/2024/02/07/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.openwall.com/lists/oss-security/2024/02/07/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-37544
Vulnerability from fkie_nvd - Published: 2023-12-20 09:15 - Updated: 2024-11-21 08:11
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.
This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.
The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.
2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.
2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.
3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.
3.1 Pulsar WebSocket Proxy users are unaffected.
Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D512CD7B-D493-491E-A6C5-879E81251897",
"versionEndExcluding": "2.10.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0ECAEE42-ADBE-40B3-BD33-3C7D2006C2C5",
"versionEndExcluding": "2.11.2",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B50CF4D0-189C-404B-9906-04E7BB94B574",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.\n\nThis issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.\n\nThe known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.\n\n2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\n2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\n3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\n3.1 Pulsar WebSocket Proxy users are unaffected.\nAny users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions."
},
{
"lang": "es",
"value": "Vulnerabilidad de autenticaci\u00f3n incorrecta en Apache Pulsar WebSocket Proxy permite a un atacante conectarse al endpoint /pingpong sin autenticaci\u00f3n. Este problema afecta a Apache Pulsar WebSocket Proxy: desde 2.8.0 hasta 2.8.*, desde 2.9.0 hasta 2.9.*, desde 2.10.0 hasta 2.10.4, desde 2.11.0 hasta 2.11.1, 3.0.0. Los riesgos conocidos incluyen una denegaci\u00f3n de servicio debido a que WebSocket Proxy acepta cualquier conexi\u00f3n y una transferencia excesiva de datos debido al mal uso de la funci\u00f3n de ping/pong de WebSocket. 2.10 Los usuarios de Pulsar WebSocket Proxy deben actualizar al menos a 2.10.5. 2.11 Los usuarios de Pulsar WebSocket Proxy deben actualizar al menos a 2.11.2. 3.0 Los usuarios de Pulsar WebSocket Proxy deben actualizar al menos a 3.0.1. 3.1 Los usuarios de Pulsar WebSocket Proxy no se ven afectados. Cualquier usuario que ejecute Pulsar WebSocket Proxy para 2.8, 2.9 y versiones anteriores debe actualizar a una de las versiones parcheadas anteriores."
}
],
"id": "CVE-2023-37544",
"lastModified": "2024-11-21T08:11:54.283",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-20T09:15:07.007",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/20/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/20/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2023-37579
Vulnerability from fkie_nvd - Published: 2023-07-12 10:15 - Updated: 2024-11-21 08:11
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.
This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.
Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.
The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93203072-AF2C-4C1C-9185-709395C44315",
"versionEndExcluding": "2.10.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*",
"matchCriteriaId": "8D3BCDDD-21DA-47B6-A8F4-76822E11662B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:2.11.0:candidate_1:*:*:*:*:*:*",
"matchCriteriaId": "AB395C43-88B4-4DE3-8ADC-D276C86250D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:2.11.0:candidate_5:*:*:*:*:*:*",
"matchCriteriaId": "E90E85B9-B04D-4BCB-B7A8-7526C991F022",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.\n\nThis issue affects Apache Pulsar: before 2.10.4, and 2.11.0.\n\nAny authenticated user can retrieve a source\u0027s configuration or a sink\u0027s configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant\u0027s sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.\n\nThe recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.\n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.\n3.0 Pulsar Function Worker users are unaffected.\nAny users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.\n\n"
}
],
"id": "CVE-2023-37579",
"lastModified": "2024-11-21T08:11:59.647",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.8,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-12T10:15:11.010",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2023-31007
Vulnerability from fkie_nvd - Published: 2023-07-12 10:15 - Updated: 2024-11-21 08:01
Severity ?
0.0 (None) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.
This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.
2.9 Pulsar Broker users should upgrade to at least 2.9.5.
2.10 Pulsar Broker users should upgrade to at least 2.10.4.
2.11 Pulsar Broker users should upgrade to at least 2.11.1.
3.0 Pulsar Broker users are unaffected.
Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "575C3B42-8D3E-492F-B7AB-8EEBCEF74B97",
"versionEndExcluding": "2.9.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CD068741-3004-4367-A620-701FCB9CF1AD",
"versionEndIncluding": "2.10.3",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*",
"matchCriteriaId": "8D3BCDDD-21DA-47B6-A8F4-76822E11662B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:2.11.0:candidate_1:*:*:*:*:*:*",
"matchCriteriaId": "AB395C43-88B4-4DE3-8ADC-D276C86250D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:2.11.0:candidate_5:*:*:*:*:*:*",
"matchCriteriaId": "E90E85B9-B04D-4BCB-B7A8-7526C991F022",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.\n\nThis issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.\n\n2.9 Pulsar Broker users should upgrade to at least 2.9.5.\n2.10 Pulsar Broker users should upgrade to at least 2.10.4.\n2.11 Pulsar Broker users should upgrade to at least 2.11.1.\n3.0 Pulsar Broker users are unaffected.\nAny users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.\n"
}
],
"id": "CVE-2023-31007",
"lastModified": "2024-11-21T08:01:13.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0.0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 0.0,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-12T10:15:10.013",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2023-30428
Vulnerability from fkie_nvd - Published: 2023-07-12 10:15 - Updated: 2024-11-21 08:00
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role.
This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10.0 before 2.10.4, 2.11.0.
The vulnerability is exploitable when an attacker can connect directly to the Pulsar Broker. If an attacker is connecting through the Pulsar Proxy, there is no known way to exploit this authorization vulnerability.
There are two known risks for affected users. First, an attacker could produce garbage messages to any topic in the cluster. Second, an attacker could produce messages to the topic level policies topic for other tenants and influence topic settings that could lead to exfiltration and/or deletion of messages for other tenants.
2.8 Pulsar Broker users and earlier are unaffected.
2.9 Pulsar Broker users should upgrade to one of the patched versions.
2.10 Pulsar Broker users should upgrade to at least 2.10.4.
2.11 Pulsar Broker users should upgrade to at least 2.11.1.
3.0 Pulsar Broker users are unaffected.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5 | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C219C70D-774B-4E29-90DF-CB14D7AAE6FB",
"versionEndIncluding": "2.9.5",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E8AD5B6-4685-4C1F-912A-37D4956B077F",
"versionEndExcluding": "2.10.4",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*",
"matchCriteriaId": "8D3BCDDD-21DA-47B6-A8F4-76822E11662B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:2.11.0:candidate_1:*:*:*:*:*:*",
"matchCriteriaId": "AB395C43-88B4-4DE3-8ADC-D276C86250D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:pulsar:2.11.0:candidate_5:*:*:*:*:*:*",
"matchCriteriaId": "E90E85B9-B04D-4BCB-B7A8-7526C991F022",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker\u0027s Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker\u0027s admin role.\nThis issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10.0 before 2.10.4, 2.11.0.\n\nThe vulnerability is exploitable when an attacker can connect directly to the Pulsar Broker. If an attacker is connecting through the Pulsar Proxy, there is no known way to exploit this authorization vulnerability.\n\nThere are two known risks for affected users. First, an attacker could produce garbage messages to any topic in the cluster. Second, an attacker could produce messages to the topic level policies topic for other tenants and influence topic settings that could lead to exfiltration and/or deletion of messages for other tenants.\n\n2.8 Pulsar Broker users and earlier are unaffected.\n2.9 Pulsar Broker users should upgrade to one of the patched versions.\n2.10 Pulsar Broker users should upgrade to at least 2.10.4.\n2.11 Pulsar Broker users should upgrade to at least 2.11.1.\n3.0 Pulsar Broker users are unaffected.\n\n"
}
],
"id": "CVE-2023-30428",
"lastModified": "2024-11-21T08:00:09.863",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.8,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-12T10:15:09.853",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
CVE-2025-30677 (GCVE-0-2025-30677)
Vulnerability from cvelistv5 – Published: 2025-04-09 11:58 – Updated: 2025-04-09 16:03
VLAI?
Summary
Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.
This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.
This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.
3.0.x version users should upgrade to at least 3.0.11.
3.3.x version users should upgrade to at least 3.3.6.
4.0.x version users should upgrade to at least 4.0.4.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar IO Kafka Connector |
Affected:
2.3.0 , < 3.0.11
(semver)
Affected: 3.1.0 , < 3.3.6 (semver) Affected: 4.0.0 , < 4.0.4 (semver) |
|||||||
|
|||||||||
Credits
Kyler Katz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30677",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T13:09:23.522782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T13:12:48.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-09T16:03:27.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.pulsar:pulsar-io-kafka",
"product": "Apache Pulsar IO Kafka Connector",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.0.11",
"status": "affected",
"version": "2.3.0",
"versionType": "semver"
},
{
"lessThan": "3.3.6",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor",
"product": "Apache Pulsar IO Kafka Connect Adaptor",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.0.11",
"status": "affected",
"version": "2.3.0",
"versionType": "semver"
},
{
"lessThan": "3.3.6",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kyler Katz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.\u003c/p\u003e\n\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eThis vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability\u0027s impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Pulsar IO\u0027s Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.\u003c/p\u003e\n\u003cp\u003e3.0.x version users should upgrade to at least 3.0.11.\u003cbr\u003e\n3.3.x version users should upgrade to at least 3.3.6.\u003cbr\u003e\n4.0.x version users should upgrade to at least 4.0.4.\u003c/p\u003e\n\u003cp\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\u003c/p\u003e"
}
],
"value": "Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.\n\n\nThis vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability\u0027s impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.\n\nThis issue affects Apache Pulsar IO\u0027s Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.\n\n\n3.0.x version users should upgrade to at least 3.0.11.\n\n3.3.x version users should upgrade to at least 3.3.6.\n\n4.0.x version users should upgrade to at least 4.0.4.\n\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T11:58:11.716Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://pulsar.apache.org/security/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar\u0027s Apache Kafka Connectors",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30677",
"datePublished": "2025-04-09T11:58:11.716Z",
"dateReserved": "2025-03-25T12:57:20.495Z",
"dateUpdated": "2025-04-09T16:03:27.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29834 (GCVE-0-2024-29834)
Vulnerability from cvelistv5 – Published: 2024-04-02 19:24 – Updated: 2025-02-13 17:47
VLAI?
Summary
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1.
3.0 Apache Pulsar users should upgrade to at least 3.0.4.
3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
6.4 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.7.1 , ≤ 2.10.6
(semver)
Affected: 2.11.0 , ≤ 2.11.4 (semver) Affected: 3.0.0 , < 3.0.4 (semver) Affected: 3.1.0 , ≤ 3.1.3 (semver) Affected: 3.2.0 , < 3.2.2 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:57.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-29834/"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/02/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29834",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:59:54.857505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:33:25.142Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.10.6",
"status": "affected",
"version": "2.7.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cdiv\u003e\u003cdiv\u003eThis vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.\u003c/div\u003e\u003c/div\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. \u003cbr\u003e\u003cbr\u003e3.0 Apache Pulsar users should upgrade to at least 3.0.4.\u003cbr\u003e3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"value": "This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. \n\n3.0 Apache Pulsar users should upgrade to at least 3.0.4.\n3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:06:33.488Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-29834/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/02/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29834",
"datePublished": "2024-04-02T19:24:46.473Z",
"dateReserved": "2024-03-20T16:45:27.305Z",
"dateUpdated": "2025-02-13T17:47:43.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27894 (GCVE-0-2024-27894)
Vulnerability from cvelistv5 – Published: 2024-03-12 18:19 – Updated: 2025-02-13 17:47
VLAI?
Summary
The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.
This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and "additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.
Severity ?
8.5 (High)
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.4.0 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.4 (semver) Affected: 3.0.0 , < 3.0.3 (semver) Affected: 3.1.0 , < 3.1.3 (semver) Affected: 3.2.0 , < 3.2.1 (semver) |
Credits
Lari Hotari of StreamNative
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T16:05:51.769657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:12.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.869Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27894/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lari Hotari of StreamNative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function\u0027s implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\u003cbr\u003eThis vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \u003cbr\u003e\u003cbr\u003e2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\u003cbr\u003e3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\u003cbr\u003e3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\u003cbr\u003e3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\u003cbr\u003e\u003cbr\u003eThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation."
}
],
"value": "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function\u0027s implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\nThis vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\n\nThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:09:31.832Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27894/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/11"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27894",
"datePublished": "2024-03-12T18:19:41.084Z",
"dateReserved": "2024-02-26T21:19:23.344Z",
"dateUpdated": "2025-02-13T17:47:12.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27317 (GCVE-0-2024-27317)
Vulnerability from cvelistv5 – Published: 2024-03-12 18:18 – Updated: 2025-02-13 17:46
VLAI?
Summary
In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like "..", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
8.4 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.4.0 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.4 (semver) Affected: 3.0.0 , < 3.0.3 (semver) Affected: 3.1.0 , < 3.1.3 (semver) Affected: 3.2.0 , < 3.2.1 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:34:51.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27317/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/10"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T17:16:55.541030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T17:20:20.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren\u0027t properly validated, contain special elements like \"..\", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \u003cbr\u003e\u003cbr\u003e2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\u003cbr\u003e3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\u003cbr\u003e3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\u003cbr\u003e3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"value": "In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren\u0027t properly validated, contain special elements like \"..\", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:06:42.643Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27317/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/10"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Pulsar: Pulsar Functions Worker\u0027s Archive Extraction Vulnerability Allows Unauthorized File Modification",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27317",
"datePublished": "2024-03-12T18:18:52.650Z",
"dateReserved": "2024-02-23T16:52:14.017Z",
"dateUpdated": "2025-02-13T17:46:25.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27135 (GCVE-0-2024-27135)
Vulnerability from cvelistv5 – Published: 2024-03-12 18:18 – Updated: 2025-02-13 17:41
VLAI?
Summary
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
8.5 (High)
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.4.0 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.4 (semver) Affected: 3.0.0 , < 3.0.3 (semver) Affected: 3.1.0 , < 3.1.3 (semver) Affected: 3.2.0 , < 3.2.1 (semver) |
Credits
Lari Hotari of StreamNative
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:pulsar:2.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:pulsar:3.0.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27135",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T14:22:47.701713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T19:41:30.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27135/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lari Hotari of StreamNative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \u003cbr\u003e\u003cbr\u003e2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\u003cbr\u003e3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\u003cbr\u003e3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\u003cbr\u003e3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\u003cbr\u003e"
}
],
"value": "Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "high"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:08:59.095Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27135/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/9"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27135",
"datePublished": "2024-03-12T18:18:06.720Z",
"dateReserved": "2024-02-20T11:50:02.083Z",
"dateUpdated": "2025-02-13T17:41:17.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34321 (GCVE-0-2022-34321)
Vulnerability from cvelistv5 – Published: 2024-03-12 18:17 – Updated: 2025-02-13 16:32
VLAI?
Summary
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.
This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.
The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to "Cluster" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren't known to be exposed.
2.10 Pulsar Proxy users should upgrade to at least 2.10.6.
2.11 Pulsar Proxy users should upgrade to at least 2.11.3.
3.0 Pulsar Proxy users should upgrade to at least 3.0.2.
3.1 Pulsar Proxy users should upgrade to at least 3.1.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.
Severity ?
8.2 (High)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.6.0 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.3 (semver) Affected: 3.0.0 , < 3.0.2 (semver) Affected: 3.1.0 , < 3.1.1 (semver) |
Credits
Lari Hotari
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:07:16.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2022-34321/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/8"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
},
{
"lessThan": "2.11.3",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.1",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-34321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-13T18:45:58.606642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T18:48:30.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
},
{
"lessThan": "2.11.3",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.1",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lari Hotari"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.\u003cbr\u003e\u003cbr\u003eThe known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy\u0027s logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer\u0027s default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to \"Cluster\" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren\u0027t known to be exposed.\u003cbr\u003e\u003cbr\u003e2.10 Pulsar Proxy users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Pulsar Proxy users should upgrade to at least 2.11.3.\u003cbr\u003e3.0 Pulsar Proxy users should upgrade to at least 3.0.2.\u003cbr\u003e3.1 Pulsar Proxy users should upgrade to at least 3.1.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it\u0027s imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses."
}
],
"value": "Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.\n\nThis issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.\n\nThe known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy\u0027s logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer\u0027s default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to \"Cluster\" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren\u0027t known to be exposed.\n\n2.10 Pulsar Proxy users should upgrade to at least 2.10.6.\n2.11 Pulsar Proxy users should upgrade to at least 2.11.3.\n3.0 Pulsar Proxy users should upgrade to at least 3.0.2.\n3.1 Pulsar Proxy users should upgrade to at least 3.1.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it\u0027s imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:09:08.239Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2022-34321/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-34321",
"datePublished": "2024-03-12T18:17:06.236Z",
"dateReserved": "2022-06-22T16:11:50.885Z",
"dateUpdated": "2025-02-13T16:32:45.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28098 (GCVE-0-2024-28098)
Vulnerability from cvelistv5 – Published: 2024-03-12 18:15 – Updated: 2025-02-13 17:47
VLAI?
Summary
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Apache Pulsar users should upgrade to at least 2.10.6.
2.11 Apache Pulsar users should upgrade to at least 2.11.4.
3.0 Apache Pulsar users should upgrade to at least 3.0.3.
3.1 Apache Pulsar users should upgrade to at least 3.1.3.
3.2 Apache Pulsar users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
6.4 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.7.1 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.4 (semver) Affected: 3.0.0 , < 3.0.3 (semver) Affected: 3.1.0 , < 3.1.3 (semver) Affected: 3.2.0 , < 3.2.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T18:37:12.167881Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:35.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-28098/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.7.1",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \u003cbr\u003e\u003cbr\u003e2.10 Apache Pulsar users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Apache Pulsar users should upgrade to at least 2.11.4.\u003cbr\u003e3.0 Apache Pulsar users should upgrade to at least 3.0.3.\u003cbr\u003e3.1 Apache Pulsar users should upgrade to at least 3.1.3.\u003cbr\u003e3.2 Apache Pulsar users should upgrade to at least 3.2.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\u003cbr\u003e"
}
],
"value": "The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Apache Pulsar users should upgrade to at least 2.10.6.\n2.11 Apache Pulsar users should upgrade to at least 2.11.4.\n3.0 Apache Pulsar users should upgrade to at least 3.0.3.\n3.1 Apache Pulsar users should upgrade to at least 3.1.3.\n3.2 Apache Pulsar users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:06:43.771Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-28098/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/12"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Pulsar: Improper Authorization For Topic-Level Policy Management",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-28098",
"datePublished": "2024-03-12T18:15:39.848Z",
"dateReserved": "2024-03-04T08:43:49.387Z",
"dateUpdated": "2025-02-13T17:47:15.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51437 (GCVE-0-2023-51437)
Vulnerability from cvelistv5 – Published: 2024-02-07 09:18 – Updated: 2024-08-02 22:32
VLAI?
Summary
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.
Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.
Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.
2.11 Pulsar users should upgrade to at least 2.11.3.
3.0 Pulsar users should upgrade to at least 3.0.2.
3.1 Pulsar users should upgrade to at least 3.1.1.
Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.
For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .
Severity ?
7.4 (High)
CWE
- CWE-203 - Observable Discrepancy
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
0 , ≤ 2.10.5
(semver)
Affected: 2.11.0 , ≤ 2.11.2 (semver) Affected: 3.0.0 , ≤ 3.0.1 (semver) Affected: 3.1.0 |
Credits
Yiheng Cao
Chenhao Lu
Kaifeng Huang
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-07T15:10:54.777111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:56.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:09.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2024/02/07/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.10.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.11.2",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yiheng Cao"
},
{
"lang": "en",
"type": "finder",
"value": "Chenhao Lu "
},
{
"lang": "en",
"type": "finder",
"value": "Kaifeng Huang"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eAny component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.\u003c/p\u003e2.11 Pulsar users should upgrade to at least 2.11.3.\u003cbr\u003e3.0 Pulsar users should upgrade to at least 3.0.2.\u003cbr\u003e3.1 Pulsar users should upgrade to at least 3.1.1.\u003cbr\u003e\u003cdiv\u003eAny users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003eFor additional details on this attack vector, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://codahale.com/a-lesson-in-timing-attacks/\"\u003ehttps://codahale.com/a-lesson-in-timing-attacks/\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.\nUsers are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.\n\nAny component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.\n\n2.11 Pulsar users should upgrade to at least 2.11.3.\n3.0 Pulsar users should upgrade to at least 3.0.2.\n3.1 Pulsar users should upgrade to at least 3.1.1.\nAny users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\n\nFor additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T08:38:36.247Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/02/07/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Pulsar: Timing attack in SASL token signature verification",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51437",
"datePublished": "2024-02-07T09:18:19.080Z",
"dateReserved": "2023-12-19T06:13:58.560Z",
"dateUpdated": "2024-08-02T22:32:09.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37544 (GCVE-0-2023-37544)
Vulnerability from cvelistv5 – Published: 2023-12-20 08:34 – Updated: 2025-02-13 17:01
VLAI?
Summary
Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.
This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.
The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.
2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.
2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.
3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.
3.1 Pulsar WebSocket Proxy users are unaffected.
Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.
Severity ?
7.5 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar WebSocket Proxy |
Affected:
2.8.0 , ≤ 2.8.*
(semver)
Affected: 2.9.0 , ≤ 2.9.* (semver) Affected: 2.10.0 , ≤ 2.10.4 (semver) Affected: 2.11.0 , ≤ 2.11.1 (semver) Affected: 3.0.0 |
Credits
Michael Marshall of DataStax
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar WebSocket Proxy",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.8.*",
"status": "affected",
"version": "2.8.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.9.*",
"status": "affected",
"version": "2.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.10.4",
"status": "affected",
"version": "2.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.11.1",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Marshall of DataStax"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.\u003cbr\u003e\u003cbr\u003eThe known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.\u003cbr\u003e\u003cbr\u003e2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\u003cbr\u003e2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\u003cbr\u003e3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\u003cbr\u003e3.1 Pulsar WebSocket Proxy users are unaffected.\u003cbr\u003eAny users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions."
}
],
"value": "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.\n\nThis issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.\n\nThe known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.\n\n2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\n2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\n3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\n3.1 Pulsar WebSocket Proxy users are unaffected.\nAny users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T08:35:06.415Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/20/2"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-37544",
"datePublished": "2023-12-20T08:34:02.393Z",
"dateReserved": "2023-07-07T05:55:37.670Z",
"dateUpdated": "2025-02-13T17:01:29.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30677 (GCVE-0-2025-30677)
Vulnerability from nvd – Published: 2025-04-09 11:58 – Updated: 2025-04-09 16:03
VLAI?
Summary
Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.
This vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability's impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.
This issue affects Apache Pulsar IO's Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.
3.0.x version users should upgrade to at least 3.0.11.
3.3.x version users should upgrade to at least 3.3.6.
4.0.x version users should upgrade to at least 4.0.4.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar IO Kafka Connector |
Affected:
2.3.0 , < 3.0.11
(semver)
Affected: 3.1.0 , < 3.3.6 (semver) Affected: 4.0.0 , < 4.0.4 (semver) |
|||||||
|
|||||||||
Credits
Kyler Katz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30677",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T13:09:23.522782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T13:12:48.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-09T16:03:27.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.pulsar:pulsar-io-kafka",
"product": "Apache Pulsar IO Kafka Connector",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.0.11",
"status": "affected",
"version": "2.3.0",
"versionType": "semver"
},
{
"lessThan": "3.3.6",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.pulsar:pulsar-io-kafka-connect-adaptor",
"product": "Apache Pulsar IO Kafka Connect Adaptor",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.0.11",
"status": "affected",
"version": "2.3.0",
"versionType": "semver"
},
{
"lessThan": "3.3.6",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kyler Katz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.\u003c/p\u003e\n\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eThis vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability\u0027s impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Pulsar IO\u0027s Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.\u003c/p\u003e\n\u003cp\u003e3.0.x version users should upgrade to at least 3.0.11.\u003cbr\u003e\n3.3.x version users should upgrade to at least 3.3.6.\u003cbr\u003e\n4.0.x version users should upgrade to at least 4.0.4.\u003c/p\u003e\n\u003cp\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\u003c/p\u003e"
}
],
"value": "Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs.\n\n\nThis vulnerability can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The vulnerability\u0027s impact is limited by the fact that an attacker would need access to the application logs to exploit this issue.\n\nThis issue affects Apache Pulsar IO\u0027s Apache Kafka connectors in all versions before 3.0.11, 3.3.6, and 4.0.4.\n\n\n3.0.x version users should upgrade to at least 3.0.11.\n\n3.3.x version users should upgrade to at least 3.3.6.\n\n4.0.x version users should upgrade to at least 4.0.4.\n\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T11:58:11.716Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://pulsar.apache.org/security/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zv5fwwrh374r1p5cmksxcd40ssxxko3d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar\u0027s Apache Kafka Connectors",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30677",
"datePublished": "2025-04-09T11:58:11.716Z",
"dateReserved": "2025-03-25T12:57:20.495Z",
"dateUpdated": "2025-04-09T16:03:27.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29834 (GCVE-0-2024-29834)
Vulnerability from nvd – Published: 2024-04-02 19:24 – Updated: 2025-02-13 17:47
VLAI?
Summary
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1.
3.0 Apache Pulsar users should upgrade to at least 3.0.4.
3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
6.4 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.7.1 , ≤ 2.10.6
(semver)
Affected: 2.11.0 , ≤ 2.11.4 (semver) Affected: 3.0.0 , < 3.0.4 (semver) Affected: 3.1.0 , ≤ 3.1.3 (semver) Affected: 3.2.0 , < 3.2.2 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:57.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-29834/"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/02/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29834",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:59:54.857505Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:33:25.142Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.10.6",
"status": "affected",
"version": "2.7.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cdiv\u003e\u003cdiv\u003eThis vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.\u003c/div\u003e\u003c/div\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. \u003cbr\u003e\u003cbr\u003e3.0 Apache Pulsar users should upgrade to at least 3.0.4.\u003cbr\u003e3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"value": "This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. \n\n3.0 Apache Pulsar users should upgrade to at least 3.0.4.\n3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:06:33.488Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-29834/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/02/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29834",
"datePublished": "2024-04-02T19:24:46.473Z",
"dateReserved": "2024-03-20T16:45:27.305Z",
"dateUpdated": "2025-02-13T17:47:43.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27894 (GCVE-0-2024-27894)
Vulnerability from nvd – Published: 2024-03-12 18:19 – Updated: 2025-02-13 17:47
VLAI?
Summary
The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.
This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and "additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.
Severity ?
8.5 (High)
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.4.0 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.4 (semver) Affected: 3.0.0 , < 3.0.3 (semver) Affected: 3.1.0 , < 3.1.3 (semver) Affected: 3.2.0 , < 3.2.1 (semver) |
Credits
Lari Hotari of StreamNative
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T16:05:51.769657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:12.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.869Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27894/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lari Hotari of StreamNative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function\u0027s implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\u003cbr\u003eThis vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \u003cbr\u003e\u003cbr\u003e2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\u003cbr\u003e3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\u003cbr\u003e3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\u003cbr\u003e3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\u003cbr\u003e\u003cbr\u003eThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation."
}
],
"value": "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function\u0027s implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\nThis vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\n\nThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:09:31.832Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27894/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/11"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27894",
"datePublished": "2024-03-12T18:19:41.084Z",
"dateReserved": "2024-02-26T21:19:23.344Z",
"dateUpdated": "2025-02-13T17:47:12.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27317 (GCVE-0-2024-27317)
Vulnerability from nvd – Published: 2024-03-12 18:18 – Updated: 2025-02-13 17:46
VLAI?
Summary
In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like "..", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
8.4 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.4.0 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.4 (semver) Affected: 3.0.0 , < 3.0.3 (semver) Affected: 3.1.0 , < 3.1.3 (semver) Affected: 3.2.0 , < 3.2.1 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:34:51.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27317/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/10"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T17:16:55.541030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T17:20:20.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren\u0027t properly validated, contain special elements like \"..\", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \u003cbr\u003e\u003cbr\u003e2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\u003cbr\u003e3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\u003cbr\u003e3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\u003cbr\u003e3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"value": "In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren\u0027t properly validated, contain special elements like \"..\", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:06:42.643Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27317/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/10"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Pulsar: Pulsar Functions Worker\u0027s Archive Extraction Vulnerability Allows Unauthorized File Modification",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27317",
"datePublished": "2024-03-12T18:18:52.650Z",
"dateReserved": "2024-02-23T16:52:14.017Z",
"dateUpdated": "2025-02-13T17:46:25.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27135 (GCVE-0-2024-27135)
Vulnerability from nvd – Published: 2024-03-12 18:18 – Updated: 2025-02-13 17:41
VLAI?
Summary
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
8.5 (High)
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.4.0 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.4 (semver) Affected: 3.0.0 , < 3.0.3 (semver) Affected: 3.1.0 , < 3.1.3 (semver) Affected: 3.2.0 , < 3.2.1 (semver) |
Credits
Lari Hotari of StreamNative
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:pulsar:2.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:pulsar:3.0.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27135",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T14:22:47.701713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T19:41:30.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27135/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lari Hotari of StreamNative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \u003cbr\u003e\u003cbr\u003e2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\u003cbr\u003e3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\u003cbr\u003e3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\u003cbr\u003e3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\u003cbr\u003e"
}
],
"value": "Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "high"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:08:59.095Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-27135/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/9"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27135",
"datePublished": "2024-03-12T18:18:06.720Z",
"dateReserved": "2024-02-20T11:50:02.083Z",
"dateUpdated": "2025-02-13T17:41:17.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34321 (GCVE-0-2022-34321)
Vulnerability from nvd – Published: 2024-03-12 18:17 – Updated: 2025-02-13 16:32
VLAI?
Summary
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.
This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.
The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to "Cluster" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren't known to be exposed.
2.10 Pulsar Proxy users should upgrade to at least 2.10.6.
2.11 Pulsar Proxy users should upgrade to at least 2.11.3.
3.0 Pulsar Proxy users should upgrade to at least 3.0.2.
3.1 Pulsar Proxy users should upgrade to at least 3.1.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.
Severity ?
8.2 (High)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.6.0 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.3 (semver) Affected: 3.0.0 , < 3.0.2 (semver) Affected: 3.1.0 , < 3.1.1 (semver) |
Credits
Lari Hotari
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:07:16.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2022-34321/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/8"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pulsar",
"vendor": "apache",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
},
{
"lessThan": "2.11.3",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.1",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-34321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-13T18:45:58.606642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T18:48:30.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
},
{
"lessThan": "2.11.3",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.2",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.1",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lari Hotari"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.\u003cbr\u003e\u003cbr\u003eThe known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy\u0027s logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer\u0027s default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to \"Cluster\" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren\u0027t known to be exposed.\u003cbr\u003e\u003cbr\u003e2.10 Pulsar Proxy users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Pulsar Proxy users should upgrade to at least 2.11.3.\u003cbr\u003e3.0 Pulsar Proxy users should upgrade to at least 3.0.2.\u003cbr\u003e3.1 Pulsar Proxy users should upgrade to at least 3.1.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it\u0027s imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses."
}
],
"value": "Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.\n\nThis issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.\n\nThe known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy\u0027s logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer\u0027s default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to \"Cluster\" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren\u0027t known to be exposed.\n\n2.10 Pulsar Proxy users should upgrade to at least 2.10.6.\n2.11 Pulsar Proxy users should upgrade to at least 2.11.3.\n3.0 Pulsar Proxy users should upgrade to at least 3.0.2.\n3.1 Pulsar Proxy users should upgrade to at least 3.1.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it\u0027s imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:09:08.239Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2022-34321/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-34321",
"datePublished": "2024-03-12T18:17:06.236Z",
"dateReserved": "2022-06-22T16:11:50.885Z",
"dateUpdated": "2025-02-13T16:32:45.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28098 (GCVE-0-2024-28098)
Vulnerability from nvd – Published: 2024-03-12 18:15 – Updated: 2025-02-13 17:47
VLAI?
Summary
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Apache Pulsar users should upgrade to at least 2.10.6.
2.11 Apache Pulsar users should upgrade to at least 2.11.4.
3.0 Apache Pulsar users should upgrade to at least 3.0.3.
3.1 Apache Pulsar users should upgrade to at least 3.1.3.
3.2 Apache Pulsar users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Severity ?
6.4 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
2.7.1 , < 2.10.6
(semver)
Affected: 2.11.0 , < 2.11.4 (semver) Affected: 3.0.0 , < 3.0.3 (semver) Affected: 3.1.0 , < 3.1.3 (semver) Affected: 3.2.0 , < 3.2.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T18:37:12.167881Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:35.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pulsar.apache.org/security/CVE-2024-28098/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.10.6",
"status": "affected",
"version": "2.7.1",
"versionType": "semver"
},
{
"lessThan": "2.11.4",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.1",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \u003cbr\u003e\u003cbr\u003e2.10 Apache Pulsar users should upgrade to at least 2.10.6.\u003cbr\u003e2.11 Apache Pulsar users should upgrade to at least 2.11.4.\u003cbr\u003e3.0 Apache Pulsar users should upgrade to at least 3.0.3.\u003cbr\u003e3.1 Apache Pulsar users should upgrade to at least 3.1.3.\u003cbr\u003e3.2 Apache Pulsar users should upgrade to at least 3.2.1.\u003cbr\u003e\u003cbr\u003eUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\u003cbr\u003e"
}
],
"value": "The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Apache Pulsar users should upgrade to at least 2.10.6.\n2.11 Apache Pulsar users should upgrade to at least 2.11.4.\n3.0 Apache Pulsar users should upgrade to at least 3.0.3.\n3.1 Apache Pulsar users should upgrade to at least 3.1.3.\n3.2 Apache Pulsar users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:06:43.771Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://pulsar.apache.org/security/CVE-2024-28098/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/12"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Pulsar: Improper Authorization For Topic-Level Policy Management",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-28098",
"datePublished": "2024-03-12T18:15:39.848Z",
"dateReserved": "2024-03-04T08:43:49.387Z",
"dateUpdated": "2025-02-13T17:47:15.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51437 (GCVE-0-2023-51437)
Vulnerability from nvd – Published: 2024-02-07 09:18 – Updated: 2024-08-02 22:32
VLAI?
Summary
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.
Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.
Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.
2.11 Pulsar users should upgrade to at least 2.11.3.
3.0 Pulsar users should upgrade to at least 3.0.2.
3.1 Pulsar users should upgrade to at least 3.1.1.
Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.
For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .
Severity ?
7.4 (High)
CWE
- CWE-203 - Observable Discrepancy
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar |
Affected:
0 , ≤ 2.10.5
(semver)
Affected: 2.11.0 , ≤ 2.11.2 (semver) Affected: 3.0.0 , ≤ 3.0.1 (semver) Affected: 3.1.0 |
Credits
Yiheng Cao
Chenhao Lu
Kaifeng Huang
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-07T15:10:54.777111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:56.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:09.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2024/02/07/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.10.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.11.2",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yiheng Cao"
},
{
"lang": "en",
"type": "finder",
"value": "Chenhao Lu "
},
{
"lang": "en",
"type": "finder",
"value": "Kaifeng Huang"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eAny component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.\u003c/p\u003e2.11 Pulsar users should upgrade to at least 2.11.3.\u003cbr\u003e3.0 Pulsar users should upgrade to at least 3.0.2.\u003cbr\u003e3.1 Pulsar users should upgrade to at least 3.1.1.\u003cbr\u003e\u003cdiv\u003eAny users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003eFor additional details on this attack vector, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://codahale.com/a-lesson-in-timing-attacks/\"\u003ehttps://codahale.com/a-lesson-in-timing-attacks/\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.\nUsers are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.\n\nAny component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.\n\n2.11 Pulsar users should upgrade to at least 2.11.3.\n3.0 Pulsar users should upgrade to at least 3.0.2.\n3.1 Pulsar users should upgrade to at least 3.1.1.\nAny users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\n\nFor additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T08:38:36.247Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/02/07/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Pulsar: Timing attack in SASL token signature verification",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-51437",
"datePublished": "2024-02-07T09:18:19.080Z",
"dateReserved": "2023-12-19T06:13:58.560Z",
"dateUpdated": "2024-08-02T22:32:09.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37544 (GCVE-0-2023-37544)
Vulnerability from nvd – Published: 2023-12-20 08:34 – Updated: 2025-02-13 17:01
VLAI?
Summary
Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.
This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.
The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.
2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.
2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.
3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.
3.1 Pulsar WebSocket Proxy users are unaffected.
Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.
Severity ?
7.5 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pulsar WebSocket Proxy |
Affected:
2.8.0 , ≤ 2.8.*
(semver)
Affected: 2.9.0 , ≤ 2.9.* (semver) Affected: 2.10.0 , ≤ 2.10.4 (semver) Affected: 2.11.0 , ≤ 2.11.1 (semver) Affected: 3.0.0 |
Credits
Michael Marshall of DataStax
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/20/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Pulsar WebSocket Proxy",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.8.*",
"status": "affected",
"version": "2.8.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.9.*",
"status": "affected",
"version": "2.9.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.10.4",
"status": "affected",
"version": "2.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.11.1",
"status": "affected",
"version": "2.11.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Marshall of DataStax"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.\u003cbr\u003e\u003cbr\u003eThe known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.\u003cbr\u003e\u003cbr\u003e2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\u003cbr\u003e2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\u003cbr\u003e3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\u003cbr\u003e3.1 Pulsar WebSocket Proxy users are unaffected.\u003cbr\u003eAny users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions."
}
],
"value": "Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.\n\nThis issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.\n\nThe known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.\n\n2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\n2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\n3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\n3.1 Pulsar WebSocket Proxy users are unaffected.\nAny users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T08:35:06.415Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/20/2"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-37544",
"datePublished": "2023-12-20T08:34:02.393Z",
"dateReserved": "2023-07-07T05:55:37.670Z",
"dateUpdated": "2025-02-13T17:01:29.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}