Lari Hotari

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar versions 2.7.1 through 2.10.6 Apache Pulsar versions 2.11.0 through 2.11.4 Apache Pulsar versions 3.0.0 through 3.0.3 Apache Pulsar versions 3.1.0 through 3.1.3 Apache Pulsar versions 3.2.0 through 3.2.1 **Description** The issue is related to insufficient authorization mechanisms in Apache Pulsar, allowing authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics. This includes unloading topics, triggering compaction, and managing namespace properties. The vulnerability affects users with the default authorization provider, and the impact may vary with custom authorization providers. **Recommendations** Apache Pulsar version 3.0 users should upgrade to at least version 3.0.4. Apache Pulsar version 3.1 and 3.2 users should upgrade to at least version 3.2.2. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar versions 2.4.0 through 2.10.5 Apache Pulsar versions 2.11.0 through 2.11.3 Apache Pulsar versions 3.0.0 through 3.0.2 Apache Pulsar versions 3.1.0 through 3.1.2 Apache Pulsar version 3.2.0 **Description** The issue is related to improper input validation in the Pulsar Function Worker, allowing a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". **Recommendations** Apache Pulsar version 2.10 users should upgrade to at least version 2.10.6. Apache Pulsar version 2.11 users should upgrade to at least version 2.11.4. Apache Pulsar version 3.0 users should upgrade to at least version 3.0.3. Apache Pulsar version 3.1 users should upgrade to at least version 3.1.3. Apache Pulsar version 3.2 users should upgrade to at least version 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar versions 2.6.0 through 2.10.5 Apache Pulsar versions 2.11.0 through 2.11.2 Apache Pulsar versions 3.0.0 through 3.0.1 Apache Pulsar version 3.1.0 **Description** The issue is related to an improper authentication vulnerability in the Apache Pulsar Proxy, allowing an attacker to connect to the "/proxy-stats" endpoint without authentication. This exposes detailed statistics about live connections and allows modification of the logging level of proxied connections without proper authentication credentials. The known risks include exposing sensitive information, such as connected client IP, and unauthorized logging level manipulation, which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. **Recommendations** Apache Pulsar version 2.10 users should upgrade to at least version 2.10.6. Apache Pulsar version 2.11 users should upgrade to at least version 2.11.3. Apache Pulsar version 3.0 users should upgrade to at least version 3.0.2. Apache Pulsar version 3.1 users should upgrade to at least version 3.1.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar versions 2.7.1 through 2.10.5 Apache Pulsar versions 2.11.0 through 2.11.3 Apache Pulsar versions 3.0.0 through 3.0.2 Apache Pulsar versions 3.1.0 through 3.1.2 Apache Pulsar version 3.2.0 **Description** The issue is related to improper authorization in Apache Pulsar, allowing authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. **Recommendations** Apache Pulsar version 2.10 users should upgrade to at least version 2.10.6. Apache Pulsar version 2.11 users should upgrade to at least version 2.11.4. Apache Pulsar version 3.0 users should upgrade to at least version 3.0.3. Apache Pulsar version 3.1 users should upgrade to at least version 3.1.3. Apache Pulsar version 3.2 users should upgrade to at least version 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar versions prior to 2.10.6 Apache Pulsar versions prior to 2.11.4 Apache Pulsar versions prior to 3.0.3 Apache Pulsar versions prior to 3.1.3 Apache Pulsar versions prior to 3.2.1 **Description** The issue is related to the Pulsar Functions Worker, which allows authenticated users to create functions where the function's implementation is referenced by a URL. This feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read, including reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs, such as "http" or "https" schemes, and carry out denial of service attacks. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". **Recommendations** For versions prior to 2.10.6, upgrade to at least 2.10.6. For versions prior to 2.11.4, upgrade to at least 2.11.4. For versions prior to 3.0.3, upgrade to at least 3.0.3. For versions prior to 3.1.3, upgrade to at least 3.1.3. For versions prior to 3.2.1, upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. As a temporary workaround, consider restricting access to the `additionalEnabledConnectorUrlPatterns` and `additionalEnabledFunctionsUrlPatterns` configuration keys to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar versions 2.4.0 through 2.10.5 Apache Pulsar versions 2.11.0 through 2.11.3 Apache Pulsar versions 3.0.0 through 3.0.2 Apache Pulsar versions 3.1.0 through 3.1.2 Apache Pulsar version 3.2.0 **Description** The issue is related to a directory traversal vulnerability in Pulsar Functions Worker. Authenticated users can upload functions in jar or nar files, which are essentially zip files extracted by the Functions Worker. If a malicious file is uploaded, it could exploit this vulnerability due to improper validation of filenames in the zip files, potentially allowing an attacker to create or modify files outside the designated extraction directory and influence system behavior. This vulnerability also applies to the Pulsar Broker when configured with "functionsWorkerEnabled=true". **Recommendations** 2.10 Pulsar Function Worker users should upgrade to at least version 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least version 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least version 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least version 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least version 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar Proxy versions 2.6.4 and earlier Apache Pulsar Proxy versions 2.7.0 through 2.7.4 Apache Pulsar Proxy versions 2.8.0 through 2.8.2 Apache Pulsar Proxy versions 2.9.0 through 2.9.1 **Description** The issue is related to an Improper Input Validation vulnerability in the Proxy component of Apache Pulsar. This vulnerability allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. The attacker will have to have a valid token to a properly secured Pulsar Proxy. **Recommendations** For Apache Pulsar Proxy versions 2.6.4 and earlier, update to a version later than 2.6.4. For Apache Pulsar Proxy versions 2.7.0 through 2.7.4, update to a version later than 2.7.4. For Apache Pulsar Proxy versions 2.8.0 through 2.8.2, update to a version later than 2.8.2. For Apache Pulsar Proxy versions 2.9.0 through 2.9.1, update to a version later than 2.9.1. As a temporary workaround, consider restricting access to the Proxy component to minimize the risk of exploitation.