Maven package
org.apache.pulsar/pulsar-broker
pkg:maven/org.apache.pulsar/pulsar-broker
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-29834 | — | >= 2.7.1, <= 2.10.6 | — | Apr 2, 2024 | This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or | ||
| CVE-2024-28098 | — | >= 3.2.0, < 3.2.1 | 3.2.1 | Mar 12, 2024 | The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This is | ||
| CVE-2023-30428 | — | >= 2.9.0, < 2.10.4 | 2.10.4 | Jul 12, 2023 | Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affects Apache Pulsar Brokers: from 2.9.0 throu | ||
| CVE-2023-31007 | — | >= 2.9.0, < 2.10.4 | 2.10.4 | Jul 12, 2023 | Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthDat | ||
| CVE-2022-33683 | — | < 2.7.5 | 2.7.5 | Sep 23, 2022 | Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to | ||
| CVE-2022-33682 | — | < 2.7.5 | 2.7.5 | Sep 23, 2022 | TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man |
- CVE-2024-29834Apr 2, 2024affected >= 2.7.1, <= 2.10.6
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or
- CVE-2024-28098Mar 12, 2024affected >= 3.2.0, < 3.2.1fixed 3.2.1
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This is
- CVE-2023-30428Jul 12, 2023affected >= 2.9.0, < 2.10.4fixed 2.10.4
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affects Apache Pulsar Brokers: from 2.9.0 throu
- CVE-2023-31007Jul 12, 2023affected >= 2.9.0, < 2.10.4fixed 2.10.4
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthDat
- CVE-2022-33683Sep 23, 2022affected < 2.7.5fixed 2.7.5
Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to
- CVE-2022-33682Sep 23, 2022affected < 2.7.5fixed 2.7.5
TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man