Skip to content

Security advisories

Lari Hotari edited this page Sep 23, 2022 · 3 revisions
Clone this wiki locally

Security advisories in Apache Pulsar

Note: There's a separate Security policy page which describes the security vulnerability process and details of supported versions of Apache Pulsar.


  • 2021-05-25 CVE-2021-22160 Authentication with JWT allows use of "none"-algorithm


  • 2022-01-31 CVE-2021-41571 Pulsar Admin API allows access to data from other tenants using getMessageById API
  • 2022-09-22 CVE-2022-24280 Apache Pulsar Proxy target broker address isn't validated
  • 2022-09-22 CVE-2022-33681 Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM
  • 2022-09-22 CVE-2022-33682 Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack
  • 2022-09-22 CVE-2022-33683 Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack