Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials
Description
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.
This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.
Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.
The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.4. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.1. 3.0 Pulsar Function Worker users are unaffected. Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Pulsar Function Worker before 2.10.4 and 2.11.0 allows authenticated users to retrieve source/sink configurations without authorization, potentially leaking credentials.
CVE-2023-37579 is an incorrect authorization vulnerability in the Apache Pulsar Function Worker, affecting versions before 2.10.4 and 2.11.0 [1][2]. The root cause is that the Function Worker fails to enforce proper authorization checks when an authenticated user requests the configuration of a source or a sink. Because many source and sink configurations contain sensitive credentials (e.g., for connecting to external systems), this flaw can lead to credential disclosure [2].
Exploitation requires the attacker to be an authenticated user of the Pulsar cluster. The attacker must also know the exact name of the target source or sink, as there is no known method for an authenticated user to enumerate another tenant's sources or sinks [2]. The attack does not require any special privileges, only that the user can send an API request to retrieve the configuration of a known source or sink belonging to another tenant [1].
A successful attacker can retrieve the full configuration of a source or sink, including any embedded credentials [2]. This could lead to unauthorized access to external systems that the source or sink connects to, such as databases, message queues, or cloud services. The impact is primarily credential exposure, which may enable lateral movement or data theft depending on the privileges of the leaked credentials.
Apache has released patched versions: 2.10.4 and 2.11.1, which fix the authorization check [2]. Users running version 2.9.* or earlier are advised to upgrade to one of these patched releases. Pulsar 3.0 is unaffected [2]. There is no known workaround other than upgrading. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsar-functions-workerMaven | < 2.10.4 | 2.10.4 |
org.apache.pulsar:pulsar-functions-workerMaven | >= 2.11.0, < 2.11.1 | 2.11.1 |
Affected products
3- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-74mc-g2xv-pch2ghsaADVISORY
- lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwzghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-37579ghsaADVISORY
News mentions
0No linked articles in our index yet.