Apache Pulsar Trust Management Issue Vulnerability (CNVD-2022-83591)

Apache Pulsar is an Apache Foundation distributed messaging platform for cloud environments that integrates messaging, storage, and lightweight functional computing. The software supports multi-tenancy, persistent storage, multi-room cross-regional data replication, with strong consistency, high throughput and low latency highly scalable streaming data storage features. Apache Pulsar suffers from a trust management issue vulnerability that stems from HTTPS calls to OAuth2.0 client credential streams that do not validate peer-to-peer TLS certificates, which can be exploited by attackers to perform man-in-the-middle attack and intercept and/or modify the GET request sent, and the intercepted credentials can be used to obtain authentication data from the OAuth2.0 server and then use the Apache Pulsar cluster for authentication.