Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials
CVE-2023-37579

8.2HIGH

Key Information:

Vendor: Apache
Status: Apache Pulsar Function Worker
Vendor: CVE Published:; 12 July 2023

What is CVE-2023-37579?

An Incorrect Authorization vulnerability exists in Apache Pulsar's Function Worker, allowing authenticated users to access configuration data for sources and sinks without proper authorization. Many of these configurations may contain sensitive credentials, leading to potential credential leaks. Although the exposure risk is somewhat mitigated as users cannot enumerate another tenant's sources or sinks, relying on guesswork to identify vulnerable configurations still poses a significant risk. To safeguard against this issue, users are strongly advised to upgrade to the latest patched versions of the Function Worker.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Pulsar Function Worker 0 < 2.10.4

Apache Pulsar Function Worker 2.11.0

References

https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzf...

vendor-advisory

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jul 7, 2023

Credit

Michael Marshall of DataStax

JSON

Apache

What is CVE-2023-37579?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.