Michael Rowley

**Name of the Vulnerable Software and Affected Versions** AMD Crash Defender (affected versions not specified) **Description** The issue is related to improper input validation in AMD Crash Defender, which could allow an attacker to provide the Windows system process ID to a kernel-mode driver. This could result in an operating system crash, potentially leading to denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar C++ Client versions 2.7.0 through 2.7.4 Apache Pulsar C++ Client versions 2.8.0 through 2.8.3 Apache Pulsar C++ Client versions 2.9.0 through 2.9.2 Apache Pulsar C++ Client versions 2.10.0 through 2.10.1 Apache Pulsar C++ Client version 2.6.4 and earlier Apache Pulsar Python Client versions 2.7.0 through 2.7.4 Apache Pulsar Python Client versions 2.8.0 through 2.8.3 Apache Pulsar Python Client versions 2.9.0 through 2.9.2 Apache Pulsar Python Client versions 2.10.0 through 2.10.1 Apache Pulsar Python Client version 2.6.4 and earlier **Description** The Apache Pulsar C++ Client and Python Client do not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when `tlsAllowInsecureConnection` is disabled via configuration. This allows an attacker to perform a man-in-the-middle attack and intercept and/or modify the GET request sent to the `ClientCredentialFlow` "issuer url". The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker must take control of a machine "between" the client and the server and actively manipulate traffic to perform the attack. **Recommendations** 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials, including `client id` and `client secret`. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials, including `client id` and `client secret`. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials, including `client id` and `client secret`. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials, including `client id` and `client secret`. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions and rotate vulnerable OAuth2.0 credentials, including `client id` and `client secret`.