Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
ApachePulsar

20 matches found

CVE
CVEadded 2022/09/23 9:25 a.m.108 views

CVE-2022-33681

CVE-2022-33681 describes a vulnerability in the Apache Pulsar Java Client and Pulsar Proxy where delayed TLS hostname verification allows a MITM to capture authentication data. Affected software (from the provided docs) includes Apache Pulsar Java Client versions: 2.7.0–2.7.4; 2.8.0–2.8.3; 2.9.0–...

5.9CVSS6.2AI score0.00177EPSS
CVE
CVEadded 2021/05/26 12:22 p.m.92 views

CVE-2021-22160

CVE-2021-22160 affects Apache Pulsar. The issue is that when JWT-based client authentication is used, the token signature is not validated if the token’s alg is set to none, allowing an attacker to imitate any user (including admins). The connected Red Hat and OSV entries corroborate the same des...

9.8CVSS9.4AI score0.18529EPSS
CVE
CVEadded 2024/02/07 9:18 a.m.92 views

CVE-2023-51437

This CVE (CVE-2023-51437) concerns an observable timing discrepancy in the Apache Pulsar SASL Authentication Provider that could allow forging a SASL Role Token passing signature verification. Affected products/components include Pulsar Broker, Proxy, Websocket Proxy, and Function Worker. Root ca...

7.4CVSS7.2AI score0.00095EPSS
Web
CVE
CVEadded 2022/09/23 9:25 a.m.88 views

CVE-2022-24280

Summary of CVE-2022-24280 : The Proxy component of Apache Pulsar has an input-validation weakness that enables DoS-like TCP/IP connection attempts to originate from the Pulsar Proxy’s IP. Affected versions include 2.7.0–2.7.4; 2.8.0–2.8.2; 2.9.0–2.9.1; and 2.6.4 and earlier. The attacker must hav...

6.5CVSS6.4AI score0.00224EPSS
CVE
CVEadded 2022/02/01 12:40 p.m.87 views

CVE-2021-41571

CVE-2021-41571 affects Apache Pulsar. The vulnerability arises from improper validation of the ledger id in the Admin API get-message-by-id, allowing a user to read BookKeeper data for tenants other than their own via the topic- and ledger-id context. Affected versions include Pulsar 2.8.0 and ol...

6.5CVSS6.2AI score0.00979EPSS
CVE
CVEadded 2022/11/04 12:0 a.m.86 views

CVE-2022-33684

The CVE-2022-33684 entry documents a vulnerability in the Apache Pulsar C++ and Python clients where TLS peer certificate verification is not performed during OAuth2.0 Client Credential Flow HTTPS calls, even when tlsAllowInsecureConnection is disabled. This enables MITM attackers who can control...

8.1CVSS8AI score0.00155EPSS
CVE
CVEadded 2025/04/09 11:58 a.m.86 views

CVE-2025-30677

Apache Pulsar IO Kafka connectors (Source, Sink, and Kafka Connect Adaptor Sink) log sensitive configuration properties in plain text in application logs. Affected components: Pulsar IO’s Apache Kafka connectors across versions before 3.0.11, 3.3.6, and 4.0.4. Consequence: potential exposure of K...

6.5CVSS6.4AI score0.00154EPSS
CVE
CVEadded 2024/03/12 6:18 p.m.76 views

CVE-2024-27317

Root cause: a directory traversal in archive extraction when uploaded ZIPs (jar/nar) are processed by Pulsar Functions Worker, allowing creation/modification of files outside the extraction dir. Attack surface includes Pulsar Broker when functionsWorkerEnabled=true. Affected versions span 2.4.0–2...

9.9CVSS8.2AI score0.01029EPSS
CVE
CVEadded 2024/03/12 6:18 p.m.71 views

CVE-2024-27135

CVE-2024-27135 — Apache Pulsar : The issue is caused by improper input validation in the Pulsar Function Worker , allowing an authenticated user to execute arbitrary Java code outside the designated sandboxes. The vulnerability also affects the Pulsar Broker when configured with functionsWorkerEn...

9.9CVSS8.6AI score0.00088EPSS
CVE
CVEadded 2022/09/23 9:25 a.m.70 views

CVE-2022-33683

Apache Pulsar Brokers and Proxies expose an internal Pulsar Admin Client that does not verify peer TLS certificates, even with tlsAllowInsecureConnection disabled. This enables MITM scenarios on intra-cluster and geo-replication HTTPS connections, potentially leaking authentication data, configur...

5.9CVSS5.6AI score0.00223EPSS
CVE
CVEadded 2024/03/12 6:17 p.m.70 views

CVE-2022-34321

CVE-2022-34321 (Apache Pulsar Proxy) is an Improper Authentication vulnerability affecting Pulsar Proxy statistics at /proxy-stats. Connected docs specify impact: unauthorized access to live-connection stats and the ability to modify logging levels, potentially leaking client IPs and enabling DoS...

8.2CVSS8.1AI score0.00052EPSS
CVE
CVEadded 2023/07/12 9:10 a.m.69 views

CVE-2023-30428

CVE-2023-30428: Apache Pulsar Broker Rest Producer improper authorization allows an authenticated user with a custom HTTP header to produce messages to any topic using the broker’s admin role. Affected: Pulsar Brokers 2.9.0–2.9.5; 2.10.0–2.10.3; 2.11.0. Exploitation requires direct broker access ...

8.2CVSS8AI score0.00114EPSS
CVE
CVEadded 2023/12/20 8:34 a.m.69 views

CVE-2023-37544

CVE-2023-37544 covers an Improper Authentication vulnerability in the Apache Pulsar WebSocket Proxy, where an attacker can connect to the /pingpong endpoint without authentication. Affected are Pulsar WebSocket Proxy releases listed in the CVE, including 2.8.0–2.8., 2.9.0–2.9. , 2.10.0–2.10.4, 2....

7.5CVSS7.4AI score0.00067EPSS
CVE
CVEadded 2024/03/12 6:19 p.m.69 views

CVE-2024-27894

The CVE describes a vulnerability in Apache Pulsar where the Functions Worker can create functions whose implementation is fetched from a URL (file, http, https). An authenticated attacker could read any file the worker process can access (including environment secrets) and use the worker as a pr...

8.8CVSS8.4AI score0.00412EPSS
CVE
CVEadded 2023/07/12 9:8 a.m.68 views

CVE-2023-30429

CVE-2023-30429 - Apache Pulsar Incorrect Authorization : Affects Pulsar Function Worker when connecting through a Pulsar Proxy with mTLS; the worker uses the Proxy’s role for authorization instead of the client’s, enabling privilege escalation. Affected: Pulsar Function Worker versions before 2.1...

9.6CVSS9.2AI score0.00078EPSS
CVE
CVEadded 2022/09/23 9:25 a.m.67 views

CVE-2022-33682

The CVE-2022-33682 entry describes a TLS hostname verification issue in Apache Pulsar components: Pulsar Broker, Proxy, and WebSocket Proxy (Java Clients and Admin Client) where hostname verification cannot be enabled for pulsar+ssl and HTTPS. Root cause: hostname verification disabled, enabling ...

5.9CVSS5.6AI score0.00284EPSS
CVE
CVEadded 2024/03/12 6:15 p.m.67 views

CVE-2024-28098

CVE-2024-28098 affects Apache Pulsar; authenticated users with produce or consume permissions can modify topic-level policies (retention, TTL, offloading). Affected versions include 2.7.1–2.10.5, 2.11.0–2.11.3, 3.0.0–3.0.2, 3.1.0–3.1.2, and 3.2.0. Patched upgrades are required: 2.10.6 or newer fo...

6.4CVSS5.7AI score0.00232EPSS
CVE
CVEadded 2024/04/02 7:24 p.m.63 views

CVE-2024-29834

Apache Pulsar CVE-2024-29834 allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics (unload/compact) and to read/create/modify/delete namespace properties across namespaces; impact assumes default authorization provider. Affected: 2...

6.4CVSS6.2AI score0.00222EPSS
CVE
CVEadded 2023/07/12 9:5 a.m.53 views

CVE-2023-37579

This CVE affects Apache Pulsar Function Worker. An incorrect authorization flaw allows any authenticated user to retrieve a source or sink configuration, potentially exposing credentials stored in those configurations. Affected products/versions: Pulsar Function Worker before 2.10.4 and before 2....

8.2CVSS7AI score0.00103EPSS
CVE
CVEadded 2023/07/12 9:7 a.m.51 views

CVE-2023-31007

The CVE-2023-31007 issue is an Improper Authentication vulnerability in Apache Pulsar Broker. The root cause is that the broker may fail to disconnect a client after authentication data expires when the client connects via Pulsar Proxy with authenticateOriginalAuthData=false or when a direct conn...

6.5CVSS5.3AI score0.00073EPSS