Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ApachePulsar

20 matches found

CVE
CVEadded 2021/05/26 1:15 p.m.81 views

CVE-2021-22160

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

9.8CVSS9.4AI score0.18529EPSS
CVE
CVEadded 2024/02/07 10:15 a.m.76 views

CVE-2023-51437

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider upda...

7.4CVSS7.2AI score0.00124EPSS
CVE
CVEadded 2022/02/01 1:15 p.m.75 views

CVE-2021-41571

In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for...

6.5CVSS6.2AI score0.00979EPSS
CVE
CVEadded 2022/09/23 10:15 a.m.74 views

CVE-2022-24280

Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address...

6.5CVSS6.4AI score0.00026EPSS
CVE
CVEadded 2022/09/23 10:15 a.m.72 views

CVE-2022-33681

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication da...

5.9CVSS6.2AI score0.00066EPSS
CVE
CVEadded 2022/11/04 12:15 p.m.70 views

CVE-2022-33684

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or mo...

8.1CVSS8AI score0.00143EPSS
CVE
CVEadded 2024/03/12 7:15 p.m.61 views

CVE-2024-27317

In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the ...

9.9CVSS8.2AI score0.00561EPSS
CVE
CVEadded 2022/09/23 10:15 a.m.60 views

CVE-2022-33683

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle ...

5.9CVSS5.6AI score0.00108EPSS
CVE
CVEadded 2024/03/12 7:15 p.m.59 views

CVE-2024-27135

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is config...

9.9CVSS8.6AI score0.00088EPSS
CVE
CVEadded 2024/03/12 7:15 p.m.58 views

CVE-2024-27894

The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will r...

8.8CVSS8.4AI score0.00235EPSS
CVE
CVEadded 2023/12/20 9:15 a.m.57 views

CVE-2023-37544

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8., from 2.9.0 through 2.9. , from 2.10.0 through 2.10.4, from 2.11.0 through...

7.5CVSS7.4AI score0.0005EPSS
CVE
CVEadded 2023/07/12 10:15 a.m.55 views

CVE-2023-30428

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role.This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10....

8.2CVSS8AI score0.00098EPSS
CVE
CVEadded 2025/04/09 12:15 p.m.55 views

CVE-2025-30677

Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application logs. This vulnerability can lead to unintended exp...

6.5CVSS6.4AI score0.00071EPSS
CVE
CVEadded 2024/03/12 7:15 p.m.53 views

CVE-2022-34321

Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections wi...

8.2CVSS8.1AI score0.0004EPSS
CVE
CVEadded 2022/09/23 10:15 a.m.52 views

CVE-2022-33682

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle atta...

5.9CVSS5.6AI score0.00206EPSS
CVE
CVEadded 2023/07/12 10:15 a.m.52 views

CVE-2023-30429

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar F...

9.6CVSS9.2AI score0.00069EPSS
CVE
CVEadded 2024/03/12 7:15 p.m.52 views

CVE-2024-28098

The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache P...

6.4CVSS5.7AI score0.00127EPSS
CVE
CVEadded 2024/04/02 8:15 p.m.48 views

CVE-2024-29834

This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An ...

6.4CVSS6.2AI score0.0016EPSS
CVE
CVEadded 2023/07/12 10:15 a.m.37 views

CVE-2023-37579

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contai...

8.2CVSS7AI score0.00089EPSS
CVE
CVEadded 2023/07/12 10:15 a.m.36 views

CVE-2023-31007

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a cli...

6.5CVSS5.3AI score0.00063EPSS