Lucene search
K

8 matches found

CVE
CVE
added 2022/09/23 9:25 a.m.113 views

CVE-2022-33681

CVE-2022-33681 describes a vulnerability in the Apache Pulsar Java Client and Pulsar Proxy where delayed TLS hostname verification allows a MITM to capture authentication data. Affected software (from the provided docs) includes Apache Pulsar Java Client versions: 2.7.0–2.7.4; 2.8.0–2.8.3; 2.9.0–...

5.9CVSS6.2AI score0.00564EPSS
CVE
CVE
added 2021/05/26 12:22 p.m.95 views

CVE-2021-22160

CVE-2021-22160 affects Apache Pulsar. The issue is that when JWT-based client authentication is used, the token signature is not validated if the token’s alg is set to none, allowing an attacker to imitate any user (including admins). The connected Red Hat and OSV entries corroborate the same des...

9.8CVSS9.4AI score0.52926EPSS
CVE
CVE
added 2023/07/12 9:8 a.m.79 views

CVE-2023-30429

CVE-2023-30429 - Apache Pulsar Incorrect Authorization : Affects Pulsar Function Worker when connecting through a Pulsar Proxy with mTLS; the worker uses the Proxy’s role for authorization instead of the client’s, enabling privilege escalation. Affected: Pulsar Function Worker versions before 2.1...

9.6CVSS9.2AI score0.00733EPSS
CVE
CVE
added 2022/09/23 9:25 a.m.74 views

CVE-2022-33683

Apache Pulsar Brokers and Proxies expose an internal Pulsar Admin Client that does not verify peer TLS certificates, even with tlsAllowInsecureConnection disabled. This enables MITM scenarios on intra-cluster and geo-replication HTTPS connections, potentially leaking authentication data, configur...

5.9CVSS5.6AI score0.00552EPSS
CVE
CVE
added 2023/12/20 8:34 a.m.73 views

CVE-2023-37544

CVE-2023-37544 covers an Improper Authentication vulnerability in the Apache Pulsar WebSocket Proxy, where an attacker can connect to the /pingpong endpoint without authentication. Affected are Pulsar WebSocket Proxy releases listed in the CVE, including 2.8.0–2.8., 2.9.0–2.9. , 2.10.0–2.10.4, 2....

7.5CVSS7.4AI score0.01351EPSS
CVE
CVE
added 2022/09/23 9:25 a.m.70 views

CVE-2022-33682

The CVE-2022-33682 entry describes a TLS hostname verification issue in Apache Pulsar components: Pulsar Broker, Proxy, and WebSocket Proxy (Java Clients and Admin Client) where hostname verification cannot be enabled for pulsar+ssl and HTTPS. Root cause: hostname verification disabled, enabling ...

5.9CVSS5.6AI score0.00581EPSS
CVE
CVE
added 2023/07/12 9:5 a.m.57 views

CVE-2023-37579

This CVE affects Apache Pulsar Function Worker. An incorrect authorization flaw allows any authenticated user to retrieve a source or sink configuration, potentially exposing credentials stored in those configurations. Affected products/versions: Pulsar Function Worker before 2.10.4 and before 2....

8.2CVSS7AI score0.0058EPSS
CVE
CVE
added 2023/07/12 9:7 a.m.54 views

CVE-2023-31007

The CVE-2023-31007 issue is an Improper Authentication vulnerability in Apache Pulsar Broker. The root cause is that the broker may fail to disconnect a client after authentication data expires when the client connects via Pulsar Proxy with authenticateOriginalAuthData=false or when a direct conn...

6.5CVSS5.3AI score0.00722EPSS