Incorrect Authorization

2024-03-1409:28:17

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

apache pulsar

vulnerability

incorrect authorization

inadequate access controls

topic-level policies

tenant admin

super user role

management operations

authenticated users

limited permissions

modification

critical settings

retention

ttl

offloading settings

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Score

6.9

Confidence

Low

EPSS

Percentile

15.5%

JSON

org.apache.pulsar, pulsar-broker is vulnerable to Incorrect Authorization. The vulnerability exists due to inadequate access controls to modify topic-level policies. Only users with the tenant admin or super user role should be permitted to perform such management operations, allowing authenticated users with limited permissions to modify topic-level policies which can lead to unauthorized modification of critical settings such as retention, TTL, and offloading settings for topics within Apache Pulsar.