CVE-2023-37579

Name of the Vulnerable Software and Affected Versions Apache Pulsar versions prior to 2.10.4 Apache Pulsar version 2.11.0 Apache Pulsar versions 2.9.* and earlier

Description The issue is related to an Incorrect Authorization vulnerability in Apache Pulsar Function Worker, which can allow a remote attacker to access the configuration of the cloud platform. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization, potentially leading to leaked credentials. The vulnerability is mitigated by the fact that there is no known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.

Recommendations For Apache Pulsar version 2.10, upgrade to at least version 2.10.4. For Apache Pulsar version 2.11, upgrade to at least version 2.11.1. For Apache Pulsar versions 2.9.* and earlier, upgrade to one of the above patched versions. Note that Apache Pulsar version 3.0 is unaffected.