Apache Pulsar: Incorrect Authorization for Function Worker when using mTLS Authentication through Pulsar Proxy
CVE-2023-30429

9.6CRITICAL

Key Information:

Vendor: Apache
Status: Apache Pulsar
Vendor: CVE Published:; 12 July 2023

Summary

An incorrect authorization vulnerability exists in Apache Pulsar when the Pulsar Function Worker improperly uses the role of the Pulsar Proxy for authorizing client access. This misconfiguration can lead to privilege escalation if the Proxy is assigned a superuser role, enabling unauthorized actions on behalf of clients. Users are advised to upgrade to the latest patches to mitigate the risk, specifically upgrading to version 2.10.4 or above for 2.10 users and to 2.11.1 or above for 2.11 users.

Affected Version(s)

Apache Pulsar 0 < 2.10.4

Apache Pulsar 2.11.0

References

https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsf...

vendor-advisory

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Apr 8, 2023

Credit

Michael Marshall of DataStax