Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials
CVE-2023-37579

8.2HIGH

Key Information:

Vendor: Apache
Status: Apache Pulsar Function Worker
Vendor: CVE Published:; 12 July 2023

Summary

An Incorrect Authorization vulnerability exists in Apache Pulsar's Function Worker, allowing authenticated users to access configuration data for sources and sinks without proper authorization. Many of these configurations may contain sensitive credentials, leading to potential credential leaks. Although the exposure risk is somewhat mitigated as users cannot enumerate another tenant's sources or sinks, relying on guesswork to identify vulnerable configurations still poses a significant risk. To safeguard against this issue, users are strongly advised to upgrade to the latest patched versions of the Function Worker.

Affected Version(s)

Apache Pulsar Function Worker 0 < 2.10.4

Apache Pulsar Function Worker 2.11.0

References

https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzf...

vendor-advisory

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jul 7, 2023

Credit

Michael Marshall of DataStax