Improper Authentication Vulnerability in Apache Pulsar Proxy Could Lead to Sensitive Information Exposure and Denial of Service
CVE-2022-34321

8.2HIGH

Key Information:

Vendor: Apache
Status: Apache Pulsar
Vendor: CVE Published:; 12 March 2024

Summary

An improper authentication vulnerability in the Apache Pulsar Proxy can allow attackers to access the /proxy-stats endpoint without proper credentials. This exposed endpoint reveals sensitive statistics about active connections and enables unauthorized changes to the logging levels for proxied connections. The vulnerability poses risks such as revealing client IP addresses and potentially enabling denial-of-service conditions through increased logging overhead. Notably, when deployed within Kubernetes, original client IPs might be obscured due to default load balancer configurations. Users are advised to upgrade to specified patched versions and ensure the Apache Pulsar Proxy is not directly exposed to the internet, as it is designed to function in secured network environments.

Affected Version(s)

Apache Pulsar 2.6.0 < 2.10.6

Apache Pulsar 2.11.0 < 2.11.3

Apache Pulsar 3.0.0 < 3.0.2

References

https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4...

mailing-list

https://pulsar.apache.org/security/CVE-2022-34321/

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/03/12/8

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Jun 22, 2022

Credit

Lari Hotari