4.0.1
7 years ago
15 days ago
Known vulnerabilities in the org.apache.pulsar:pulsar-broker package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
Affected versions of this package are vulnerable to Insufficient Session Expiration which allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with How to fix Insufficient Session Expiration? Upgrade | [,2.9.5)[2.10.0,2.10.4)[2.11.0,2.11.1) |
Affected versions of this package are vulnerable to Access Restriction Bypass. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role. How to fix Access Restriction Bypass? Upgrade | [,2.9.0)[2.10.0,2.10.4)[2.11.0,2.11.1) |
Affected versions of this package are vulnerable to Improper Certificate Validation due to Apache Pulsar Brokers and Proxies creating an internal Pulsar Admin Client that does not verify peer TLS certificates, even when How to fix Improper Certificate Validation? Upgrade | [,2.7.5)[2.8.0,2.8.4)[2.9.0,2.9.3)[2.10.0,2.10.1) |
Affected versions of this package are vulnerable to Improper Authorization due to improper validation of Pulsar admin method How to fix Improper Authorization? Upgrade | [,2.8.1) |