org.apache.pulsar:pulsar-broker@2.4.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.pulsar:pulsar-broker package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Certificate Validation

Affected versions of this package are vulnerable to Improper Certificate Validation due to Apache Pulsar Brokers and Proxies creating an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients.An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack.

How to fix Improper Certificate Validation?

Upgrade org.apache.pulsar:pulsar-broker to version 2.7.5, 2.8.4, 2.9.3, 2.10.1 or higher.

(,2.7.5) [2.8.0,2.8.4) [2.9.0,2.9.3) [2.10.0,2.10.1)
  • M
Improper Authorization

Affected versions of this package are vulnerable to Improper Authorization due to improper validation of Pulsar admin method getMessageById, which makes it possible for a user to read from a ledger that contains data owned by another tenant.

How to fix Improper Authorization?

Upgrade org.apache.pulsar:pulsar-broker to version 2.8.1 or higher.

(,2.8.1)