Apache Pulsar

Source repositories

https://github.com/apache/pulsar

CVEs (17)

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2021-22160	Apache Apache Pulsar	0.01	—	0.19	May 26, 2021	If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl.…
CVE-2024-29834	Apache Pulsar	0.00	—	0.00	Apr 2, 2024	This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or…
CVE-2024-27894	Apache Pulsar	0.00	—	0.00	Mar 12, 2024	The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the…
CVE-2024-27317	Apache Pulsar	0.00	—	0.01	Mar 12, 2024	In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when…
CVE-2024-27135	Apache Pulsar	0.00	—	0.00	Mar 12, 2024	Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar…
CVE-2022-34321	Apache Pulsar Proxy	0.00	—	0.00	Mar 12, 2024	Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of…
CVE-2024-28098	Apache Pulsar	0.00	—	0.00	Mar 12, 2024	The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This…
CVE-2023-51437	Apache Apache Pulsar	0.00	—	0.00	Feb 7, 2024	Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users…
CVE-2023-30428	Apache Pulsar Broker	0.00	—	0.00	Jul 12, 2023	Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affects Apache Pulsar Brokers: from 2.9.0…
CVE-2023-30429	Apache Apache Pulsar	0.00	—	0.00	Jul 12, 2023	Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to…
CVE-2023-31007	Apache Pulsar Broker	0.00	—	0.00	Jul 12, 2023	Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with…
CVE-2022-33684	Apache Pulsar C++ Client	0.00	—	0.00	Nov 4, 2022	The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and…
CVE-2022-33683	Apache Pulsar	0.00	—	0.00	Sep 23, 2022	Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable…
CVE-2022-33682	Apache Pulsar Broker	0.00	—	0.00	Sep 23, 2022	TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to…
CVE-2022-33681	Apache Pulsar Proxy	0.00	—	0.00	Sep 23, 2022	Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are…
CVE-2022-24280	Apache Pulsar	0.00	—	0.00	Sep 23, 2022	Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP…
CVE-2021-41571	Apache Apache Pulsar	0.00	—	0.01	Feb 1, 2022	In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed…

CVE-2021-22160May 26, 2021
Apache
Apache Pulsar
risk 0.01cvss —epss 0.19
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl.…
CVE-2024-29834Apr 2, 2024
Apache
Pulsar
risk 0.00cvss —epss 0.00
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or…
CVE-2024-27894Mar 12, 2024
Apache
Pulsar
risk 0.00cvss —epss 0.00
The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the…
CVE-2024-27317Mar 12, 2024
Apache
Pulsar
risk 0.00cvss —epss 0.01
In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when…
CVE-2024-27135Mar 12, 2024
Apache
Pulsar
risk 0.00cvss —epss 0.00
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar…
CVE-2022-34321Mar 12, 2024
Apache
Pulsar Proxy
risk 0.00cvss —epss 0.00
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of…
CVE-2024-28098Mar 12, 2024
Apache
Pulsar
risk 0.00cvss —epss 0.00
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This…
CVE-2023-51437Feb 7, 2024
Apache
Apache Pulsar
risk 0.00cvss —epss 0.00
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users…
CVE-2023-30428Jul 12, 2023
Apache
Pulsar Broker
risk 0.00cvss —epss 0.00
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affects Apache Pulsar Brokers: from 2.9.0…
CVE-2023-30429Jul 12, 2023
Apache
Apache Pulsar
risk 0.00cvss —epss 0.00
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to…
CVE-2023-31007Jul 12, 2023
Apache
Pulsar Broker
risk 0.00cvss —epss 0.00
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with…
CVE-2022-33684Nov 4, 2022
Apache
Pulsar C++ Client
risk 0.00cvss —epss 0.00
The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and…
CVE-2022-33683Sep 23, 2022
Apache
Pulsar
risk 0.00cvss —epss 0.00
Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable…
CVE-2022-33682Sep 23, 2022
Apache
Pulsar Broker
risk 0.00cvss —epss 0.00
TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to…
CVE-2022-33681Sep 23, 2022
Apache
Pulsar Proxy
risk 0.00cvss —epss 0.00
Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are…
CVE-2022-24280Sep 23, 2022
Apache
Pulsar
risk 0.00cvss —epss 0.00
Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP…
CVE-2021-41571Feb 1, 2022
Apache
Apache Pulsar
risk 0.00cvss —epss 0.01
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed…