Apache Pulsar: Broker does not always disconnect client when authentication data expires
CVE-2023-31007

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Pulsar
Vendor: CVE Published:; 12 July 2023

Summary

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.

This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.

2.9 Pulsar Broker users should upgrade to at least 2.9.5. 2.10 Pulsar Broker users should upgrade to at least 2.10.4. 2.11 Pulsar Broker users should upgrade to at least 2.11.1. 3.0 Pulsar Broker users are unaffected. Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.

Affected Version(s)

Apache Pulsar 0 < 2.9.5

Apache Pulsar 2.10.0 <= 2.10.3

Apache Pulsar 2.11.0

References

https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Apr 21, 2023

Credit

Michael Marshall of DataStax