Apache Pulsar Broker: Incorrect Authorization Validation for Rest Producer
CVE-2023-30428

8.2HIGH

Key Information:

Vendor: Apache
Status: Apache Pulsar Broker
Vendor: CVE Published:; 12 July 2023

Summary

An incorrect authorization vulnerability in the Apache Pulsar Broker's Rest Producer allows an authenticated user to produce messages to any topic by leveraging a custom HTTP header. This exploitation can have severe consequences, including the generation of unwanted messages across the cluster and the potential manipulation of topic-level policies, thereby affecting message handling and security for other tenants. The vulnerability is only exploitable when an attacker has direct access to the Pulsar Broker, while connections through the Pulsar Proxy are not impacted. Users operating affected versions are urged to upgrade to the latest patched releases to mitigate risks.

Affected Version(s)

Apache Pulsar Broker 2.9.0 <= 2.9.5

Apache Pulsar Broker 2.10.0 < 2.10.4

Apache Pulsar Broker 2.11.0

References

https://lists.apache.org/thread/v39hqtgrmyxr85rmofwvgrktn...

vendor-advisory

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Apr 8, 2023

Credit

Michael Marshall of DataStax