PT-2023-22686 · Apache · Apache Pulsar

Michael Marshall

Publicado

2023-07-12

Atualizado

2023-07-20

CVE-2023-30429

CVSS v3.1

9.6

Crítica

Vetor

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache Pulsar versions prior to 2.10.4 Apache Pulsar version 2.11.0

Description The issue affects Apache Pulsar when a client connects to the Pulsar Function Worker via the Pulsar Proxy, which uses mTLS authentication. The Pulsar Function Worker incorrectly performs authorization by using the Proxy's role instead of the client's role, leading to potential privilege escalation, especially if the proxy is configured with a superuser role.

Recommendations For Apache Pulsar version 2.10, upgrade to at least version 2.10.4. For Apache Pulsar version 2.11, upgrade to at least version 2.11.1. For Apache Pulsar versions 2.9 and earlier, upgrade to one of the above patched versions.

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863

Identificadores relacionados

CVE-2023-30429

GHSA-G9CV-V3V4-3H8R

Produtos afetados

Apache Pulsar

PT-2023-22686 · Apache · Apache Pulsar

CVE-2023-30429

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7