Homepage
About Snyk

org.apache.pulsar:pulsar-broker@2.10.0 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.pulsar:pulsar-broker package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Certificate Validation

Affected versions of this package are vulnerable to Improper Certificate Validation due to Apache Pulsar Brokers and Proxies creating an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients.An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack.

How to fix Improper Certificate Validation?

Upgrade org.apache.pulsar:pulsar-broker to version 2.7.5, 2.8.4, 2.9.3, 2.10.1 or higher.

(,2.7.5) [2.8.0,2.8.4) [2.9.0,2.9.3) [2.10.0,2.10.1)
Go back to all versions of this package