Skip to content

Apache Pulsar Incorrect Authorization vulnerability

Critical severity GitHub Reviewed Published Jul 12, 2023 to the GitHub Advisory Database • Updated Nov 7, 2023

Package

maven org.apache.pulsar:pulsar (Maven)

Affected versions

< 2.10.4
= 2.11.0

Patched versions

2.10.4
2.11.1

Description

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.

This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.

When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.

The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.

2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.

References

Published by the National Vulnerability Database Jul 12, 2023
Published to the GitHub Advisory Database Jul 12, 2023
Reviewed Jul 12, 2023
Last updated Nov 7, 2023

Severity

Critical
9.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Weaknesses

CVE ID

CVE-2023-30429

GHSA ID

GHSA-g9cv-v3v4-3h8r

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.