org.apache.pulsar:pulsar-broker-common@2.1.0-incubating vulnerabilities
-
latest version
3.2.2
-
latest non vulnerable version
-
first published
7 years ago
-
latest version published
a month ago
-
licenses detected
- [1.19.0-incubating,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.apache.pulsar:pulsar-broker-common package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.| Vulnerability | Vulnerable Version |
|---|---|
Affected versions of this package are vulnerable to Access Restriction Bypass. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role. How to fix Access Restriction Bypass? Upgrade |
[,2.9.0)
[2.10.0,2.10.4)
[2.11.0,2.11.1)
|
Affected versions of this package are vulnerable to Authentication Bypass. If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins). How to fix Authentication Bypass? Upgrade |
[0,2.7.1)
|
Affected versions of this package are vulnerable to Authentication Bypass. If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins). How to fix Authentication Bypass? Upgrade |
[0,2.7.1)
|