9 matches found
CVE-2026-41732
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...
CVE-2026-41732
CVE-2026-41732 affects Spring for Apache Pulsar due to JsonPulsarHeaderMapper using a prefix-based check on trusted packages, causing trust to cascade to subpackages. An empty trusted-packages config can default to trusting all packages. This exposes potential deserialization risk by allowing acc...
PT-2026-48328
Name of the Vulnerable Software and Affected Versions Spring for Apache Pulsar versions 1.1.0 through 1.1.17 Spring for Apache Pulsar versions 1.2.0 through 1.2.17 Spring for Apache Pulsar versions 2.0.0 through 2.0.5 Description JsonPulsarHeaderMapper uses a prefix check to match type headers...
EUVD-2024-0948
Malicious code in bioql PyPI...
org.apache.pulsar:pulsar-io-distribution (>=2.3.0 <=2.7.5), org.apache.pulsar:pulsar-io-docs (>=2.3.0 <=2.7.5) potentially affected by CVE-2025-30677 via org.apache.pulsar:pulsar-io-kafka (>=2.3.0 <=2.7.5)
org.apache.pulsar:pulsar-io-kafka MAVEN version =2.3.0, =2.3.0, =2.3.0, =2.7.5 Source cves: CVE-2025-30677 Source advisory: SNYK:JAVA-ORGAPACHEPULSAR-9685318...
CVE-2024-27135
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is...
CVE-2022-34321 Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections...
io.github.embedded-middleware:embedded-pulsar-core (>=0.0.4 <=0.0.5), org.apache.pulsar:pulsar-broker (>=2.11.0 <=2.11.1) +7 more potentially affected by CVE-2023-37544 via org.apache.pulsar:pulsar-websocket (>=2.11.0 <=2.11.1)
org.apache.pulsar:pulsar-websocket MAVEN version =2.11.0, =0.0.4, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.1 Source cves: CVE-2023-37544 Source advisory: OSV:GHSA-83Q5-WHQP-R8JR...
GHSA-74MC-G2XV-PCH2 Apache Pulsar Function Worker Incorrect Authorization vulnerability
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks...