Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2023-51437
HistoryFeb 07, 2024 - 10:15 a.m.

CVE-2023-51437

2024-02-0710:15:08
CWE-203
CWE-200
[email protected]
web.nvd.nist.gov
16
apache pulsar
sasl authentication
timing discrepancy vulnerability
cve-2023-51437
signature forgery
upgrade
security advisory

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

7.2 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

34.2%

JSON

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.
Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the saslJaasServerRoleTokenSignerSecretPath file.

Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.

2.11 Pulsar users should upgrade to at least 2.11.3.
3.0 Pulsar users should upgrade to at least 3.0.2.
3.1 Pulsar users should upgrade to at least 3.1.1.
Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.

For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .

Related

osv 2
ibm 1
prion 1
cvelist 1
github 1
veracode 1
osv
osv
CVE-2023-51437
2024-02-07 10:15:08
Apache Pulsar SASL Authentication Provider observable timing discrepancy vulnerability
2024-02-07 12:30:25
ibm
ibm
Security Bulletin: Due to use of Apache Pulsar, IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to security restrictions bypass
2024-03-29 01:37:10
prion
prion
Buffer overflow
2024-02-07 10:15:00
cvelist
cvelist
CVE-2023-51437 Apache Pulsar: Timing attack in SASL token signature verification
2024-02-07 09:18:19
github
github
Apache Pulsar SASL Authentication Provider observable timing discrepancy vulnerability
2024-02-07 12:30:25
veracode
veracode
Timing Attack
2024-02-08 05:44:32

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

7.2 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

34.2%

JSON
Related for CVE-2023-51437
osv2ibm1prion1cvelist1github1veracode1