Lucene search

Veracode Vulnerability DatabaseVERACODE:41281

HistoryJul 14, 2023 - 6:07 a.m.

Incorrect Authorization

2023-07-1406:07:38

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

incorrect authorization

vulnerability

authentication

rest producer

topic settings

message exfiltration

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

29.0%

JSON

org.apache.pulsar:pulsar-broker is vulnerable to Incorrect Authorization. An authenticated users is able to send messages to any topic utilizing the broker’s admin role by using the library’s Rest producer. There are two risks for the impacted users: an attacker might send useless messages to any cluster topic and change topic settings, which might cause messages for other tenants to be exfiltrated or deleted.

CPENameOperatorVersion
pulsar brokereq2.11.0
pulsar brokerle2.10.3
pulsar brokereq2.11.0
pulsar brokerle2.10.3

Name	Operator	Version
pulsar broker	eq	2.11.0
pulsar broker	le	2.10.3
pulsar broker	eq	2.11.0
pulsar broker	le	2.10.3

References

github.com/advisories/GHSA-j2r7-3rvw-g7gx

lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktnflbq3q5

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

29.0%

JSON

Related for VERACODE:41281