org.apache.pulsar:pulsar-broker-common@2.8.3 vulnerabilities

latest version

3.2.2
latest non vulnerable version

3.2.2
first published

7 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [1.19.0-incubating,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.pulsar:pulsar-broker-common package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Improper Authorization Affected versions of this package are vulnerable to Improper Authorization in namespace and topic management endpoints. An attacker with produce or consume permissions can perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction, which should be restricted to users with the tenant admin role or superuser role. Note: The vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace. How to fix Improper Authorization? Upgrade `org.apache.pulsar:pulsar-broker-common` to version 3.0.4, 3.2.2 or higher.	[2.7.1,3.0.4) [3.1.0,3.2.2)
H Access Restriction Bypass Affected versions of this package are vulnerable to Access Restriction Bypass. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role. How to fix Access Restriction Bypass? Upgrade `org.apache.pulsar:pulsar-broker-common` to version 2.9.0, 2.10.4, 2.11.1 or higher.	[,2.9.0) [2.10.0,2.10.4) [2.11.0,2.11.1)

Improper Authorization

Affected versions of this package are vulnerable to Improper Authorization in namespace and topic management endpoints. An attacker with produce or consume permissions can perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction, which should be restricted to users with the tenant admin role or superuser role.

Note: The vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.

How to fix Improper Authorization?

Upgrade org.apache.pulsar:pulsar-broker-common to version 3.0.4, 3.2.2 or higher.

[2.7.1,3.0.4) [3.1.0,3.2.2)

Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.

How to fix Access Restriction Bypass?

Upgrade org.apache.pulsar:pulsar-broker-common to version 2.9.0, 2.10.4, 2.11.1 or higher.

[,2.9.0) [2.10.0,2.10.4) [2.11.0,2.11.1)

Go back to all versions of this package

org.apache.pulsar:pulsar-broker-common@2.8.3 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities