cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-29834,https://securityvulnerability.io/vulnerability/CVE-2024-29834,Unauthorized Management Operations on Partitioned Topics and Namespace Properties in Apache Pulsar,"This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. 3.0 Apache Pulsar users should upgrade to at least 3.0.4. 3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.",Apache,Apache Pulsar,6.4,MEDIUM,0.0014199999859556556,false,,false,false,false,,,false,false,,2024-04-02T20:15:00.000Z,0 CVE-2024-27894,https://securityvulnerability.io/vulnerability/CVE-2024-27894,Pulsar Functions Worker Vulnerability: Unauthorized Access and Proxy Attacks,"The Apache Pulsar Functions Worker has a vulnerability that enables authenticated users to create functions that reference implementations hosted at a URL. This includes 'file', 'http', and 'https' schemes. When a function is created in this manner, the Functions Worker retrieves executable code from the provided URL. This feature can be exploited by attackers to gain unauthorized access to files permissible by the Pulsar Functions Worker process, potentially exposing sensitive information like secrets from the process environment. Additionally, attackers could exploit this vulnerability to use the Functions Worker as a proxy, accessing external HTTP and HTTPS endpoints or executing denial of service attacks. The Pulsar Broker is equally affected when configured with 'functionsWorkerEnabled=true'. Users are strongly advised to update to patched versions to mitigate this risk.",Apache,Apache Pulsar,8.8,HIGH,0.0023799999617040157,false,,false,false,false,,,false,false,,2024-03-12T18:19:41.084Z,0 CVE-2024-27317,https://securityvulnerability.io/vulnerability/CVE-2024-27317,Directory Traversal Vulnerability in Apache Pulsar Functions Worker Could Allow Attacker to Modify Files Outside of Designated Extraction Directory,"In the Apache Pulsar Functions Worker, authenticated users have the ability to upload functions using jar or nar files. These files are processed by the Functions Worker, which extracts their content. A vulnerability exists due to inadequate validation of filenames within the zip files, potentially allowing special path elements like '..' to be included. This oversight leads to a directory traversal vulnerability, where an attacker could craft a malicious upload that modifies or creates files in directories outside of the intended extraction path. Importantly, this vulnerability also impacts the Pulsar Broker when it is configured with the 'functionsWorkerEnabled=true' setting. Users operating on vulnerable versions are strongly advised to upgrade to the secure releases listed in the advisory to mitigate these risks.",Apache,Apache Pulsar,9.9,CRITICAL,0.001930000027641654,false,,false,false,false,,,false,false,,2024-03-12T18:18:52.650Z,0 CVE-2024-27135,https://securityvulnerability.io/vulnerability/CVE-2024-27135,Arbitrary Java Code Execution Vulnerability in Pulsar Function Worker,"The vulnerability in the Apache Pulsar Function Worker stems from improper input validation, which allows an authenticated malicious user to execute arbitrary Java code outside the intended sandboxes for user-provided functions. This issue can extend to the Pulsar Broker when the 'functionsWorkerEnabled' configuration is set to true, thus impacting a broader range of deployments. Users operating the affected versions are urged to upgrade to the specified patched versions to mitigate potential risks.",Apache,Apache Pulsar,9.9,CRITICAL,0.0023799999617040157,false,,false,false,false,,,false,false,,2024-03-12T18:18:06.720Z,0 CVE-2022-34321,https://securityvulnerability.io/vulnerability/CVE-2022-34321,Improper Authentication Vulnerability in Apache Pulsar Proxy Could Lead to Sensitive Information Exposure and Denial of Service,"An improper authentication vulnerability in the Apache Pulsar Proxy can allow attackers to access the /proxy-stats endpoint without proper credentials. This exposed endpoint reveals sensitive statistics about active connections and enables unauthorized changes to the logging levels for proxied connections. The vulnerability poses risks such as revealing client IP addresses and potentially enabling denial-of-service conditions through increased logging overhead. Notably, when deployed within Kubernetes, original client IPs might be obscured due to default load balancer configurations. Users are advised to upgrade to specified patched versions and ensure the Apache Pulsar Proxy is not directly exposed to the internet, as it is designed to function in secured network environments.",Apache,Apache Pulsar,8.2,HIGH,0.005470000207424164,false,,false,false,false,,,false,false,,2024-03-12T18:17:06.236Z,0 CVE-2024-28098,https://securityvulnerability.io/vulnerability/CVE-2024-28098,Pulsar Vulnerability: Authenticated Users Can Modify Topic-Level Policies,"The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. ",Apache,Apache Pulsar,5.4,MEDIUM,0.0010000000474974513,false,,false,false,false,,,false,false,,2024-03-12T18:15:39.848Z,0 CVE-2023-51437,https://securityvulnerability.io/vulnerability/CVE-2023-51437,Timing Discrepancy Vulnerability Affects Pulsar Users,"The Apache Pulsar SASL Authentication Provider contains an observable timing discrepancy vulnerability that can be exploited to forge SASL Role Tokens. This vulnerability allows attackers to bypass signature verification, posing a significant security risk. To mitigate this vulnerability, it is imperative for users to upgrade to respective patched versions: 2.11.3, 3.0.2, or 3.1.1, depending on their current version. Additionally, users should update the secret configured in the `saslJaasServerRoleTokenSignerSecretPath` file to enhance security. All components running affected versions of the SASL Authentication Provider, including the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker, are vulnerable.",Apache,Apache Pulsar,7.4,HIGH,0.0007900000200606883,false,,false,false,false,,,false,false,,2024-02-07T09:18:19.080Z,0 CVE-2023-37544,https://securityvulnerability.io/vulnerability/CVE-2023-37544,Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS,"The Apache Pulsar WebSocket Proxy is affected by an improper authentication vulnerability that permits unauthorized access to the /pingpong endpoint. This flaw enables attackers to connect without proper credentials, leading to potential denial of service conditions due to unrestricted connection acceptance. Additionally, this vulnerability could result in excessive data transfer, exploiting the WebSocket ping/pong functionality. Users of versions 2.8.x, 2.9.x, and earlier must upgrade to the patched versions of 2.10.5, 2.11.2, or 3.0.1 to mitigate associated risks.",Apache,Apache Pulsar WebSocket Proxy,7.5,HIGH,0.002589999930933118,false,,false,false,false,,,false,false,,2023-12-20T09:15:00.000Z,0 CVE-2023-37579,https://securityvulnerability.io/vulnerability/CVE-2023-37579,Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials,"An Incorrect Authorization vulnerability exists in Apache Pulsar's Function Worker, allowing authenticated users to access configuration data for sources and sinks without proper authorization. Many of these configurations may contain sensitive credentials, leading to potential credential leaks. Although the exposure risk is somewhat mitigated as users cannot enumerate another tenant's sources or sinks, relying on guesswork to identify vulnerable configurations still poses a significant risk. To safeguard against this issue, users are strongly advised to upgrade to the latest patched versions of the Function Worker.",Apache,Apache Pulsar Function Worker,8.2,HIGH,0.0013599999947473407,false,,false,false,false,,,false,false,,2023-07-12T10:15:00.000Z,0 CVE-2023-30428,https://securityvulnerability.io/vulnerability/CVE-2023-30428,Apache Pulsar Broker: Incorrect Authorization Validation for Rest Producer,"An incorrect authorization vulnerability in the Apache Pulsar Broker's Rest Producer allows an authenticated user to produce messages to any topic by leveraging a custom HTTP header. This exploitation can have severe consequences, including the generation of unwanted messages across the cluster and the potential manipulation of topic-level policies, thereby affecting message handling and security for other tenants. The vulnerability is only exploitable when an attacker has direct access to the Pulsar Broker, while connections through the Pulsar Proxy are not impacted. Users operating affected versions are urged to upgrade to the latest patched releases to mitigate risks.",Apache,Apache Pulsar Broker,8.2,HIGH,0.0009899999713525176,false,,false,false,false,,,false,false,,2023-07-12T10:15:00.000Z,0 CVE-2023-30429,https://securityvulnerability.io/vulnerability/CVE-2023-30429,Apache Pulsar: Incorrect Authorization for Function Worker when using mTLS Authentication through Pulsar Proxy,"An incorrect authorization vulnerability exists in Apache Pulsar when the Pulsar Function Worker improperly uses the role of the Pulsar Proxy for authorizing client access. This misconfiguration can lead to privilege escalation if the Proxy is assigned a superuser role, enabling unauthorized actions on behalf of clients. Users are advised to upgrade to the latest patches to mitigate the risk, specifically upgrading to version 2.10.4 or above for 2.10 users and to 2.11.1 or above for 2.11 users.",Apache,Apache Pulsar,9.6,CRITICAL,0.0016799999866634607,false,,false,false,false,,,false,false,,2023-07-12T10:15:00.000Z,0 CVE-2023-31007,https://securityvulnerability.io/vulnerability/CVE-2023-31007,Apache Pulsar: Broker does not always disconnect client when authentication data expires,"Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false. This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0. 2.9 Pulsar Broker users should upgrade to at least 2.9.5. 2.10 Pulsar Broker users should upgrade to at least 2.10.4. 2.11 Pulsar Broker users should upgrade to at least 2.11.1. 3.0 Pulsar Broker users are unaffected. Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions. ",Apache,Apache Pulsar,6.5,MEDIUM,0.002360000042244792,false,,false,false,false,,,false,false,,2023-07-12T10:15:00.000Z,0 CVE-2022-33684,https://securityvulnerability.io/vulnerability/CVE-2022-33684,Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation,"The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.",Apache,Apache Pulsar,8.1,HIGH,0.001500000013038516,false,,false,false,false,,,false,false,,2022-11-04T00:00:00.000Z,0 CVE-2022-33683,https://securityvulnerability.io/vulnerability/CVE-2022-33683,"Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack ","Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.",Apache,Apache Pulsar,5.9,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2022-09-23T09:25:15.000Z,0 CVE-2022-33682,https://securityvulnerability.io/vulnerability/CVE-2022-33682,"Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack","TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.",Apache,Apache Pulsar,5.9,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2022-09-23T09:25:14.000Z,0 CVE-2022-33681,https://securityvulnerability.io/vulnerability/CVE-2022-33681,Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM,"Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.",Apache,Apache Pulsar,5.9,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2022-09-23T09:25:13.000Z,0 CVE-2022-24280,https://securityvulnerability.io/vulnerability/CVE-2022-24280,Apache Pulsar Proxy target broker address isn't validated,"Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.",Apache,Apache Pulsar,6.5,MEDIUM,0.0015999999595806003,false,,false,false,false,,,false,false,,2022-09-23T09:25:12.000Z,0 CVE-2021-41571,https://securityvulnerability.io/vulnerability/CVE-2021-41571,Pulsar Admin API allows access to data from other tenants using getMessageById API,"In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.",Apache,Apache Pulsar,6.5,MEDIUM,0.0008699999889358878,false,,false,false,false,,,false,false,,2022-02-01T12:40:53.000Z,0 CVE-2021-22160,https://securityvulnerability.io/vulnerability/CVE-2021-22160,Authentication with JWT allows use of “none”-algorithm,"If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to ""none"". This allows an attacker to connect to Pulsar instances as any user (incl. admins).",Apache,Apache Pulsar,9.8,CRITICAL,0.03480999916791916,false,,false,false,false,,,false,false,,2021-05-26T12:22:31.000Z,0