Pulsar@* Security Vulnerabilities and Issues — Pulsar@* CVE List

Lucene search

ApachePulsar*

8 matches found

CVE•added 2022/09/23 10:15 a.m.•89 views

CVE-2022-33681

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication da...

5.9CVSS6.2AI score0.00066EPSS

CVE•added 2021/05/26 1:15 p.m.•82 views

CVE-2021-22160

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

9.8CVSS9.4AI score0.18529EPSS

CVE•added 2022/09/23 10:15 a.m.•61 views

CVE-2022-33683

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle ...

5.9CVSS5.6AI score0.00108EPSS

CVE•added 2023/12/20 9:15 a.m.•58 views

CVE-2023-37544

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8., from 2.9.0 through 2.9. , from 2.10.0 through 2.10.4, from 2.11.0 through...

7.5CVSS7.4AI score0.0005EPSS

CVE•added 2022/09/23 10:15 a.m.•54 views

CVE-2022-33682

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle atta...

5.9CVSS5.6AI score0.00206EPSS

CVE•added 2023/07/12 10:15 a.m.•53 views

CVE-2023-30429

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar F...

9.6CVSS9.2AI score0.00069EPSS

CVE•added 2023/07/12 10:15 a.m.•40 views

CVE-2023-37579

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contai...

8.2CVSS7AI score0.00089EPSS

CVE•added 2023/07/12 10:15 a.m.•37 views

CVE-2023-31007

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a cli...

6.5CVSS5.3AI score0.00063EPSS