CVE-2021-41571

Name of the Vulnerable Software and Affected Versions Apache Pulsar versions prior to 2.8.1 Apache Pulsar versions prior to 2.7.4 Apache Pulsar versions prior to 2.6.5

Description The issue allows access to data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API "get-message-by-id" requires the user to input a topic and a ledger id. The ledger id is a pointer to the data and is supposed to be a valid id for the topic. However, authorization controls are performed against the topic name, and there is no proper validation that the ledger id is valid in the context of such a ledger. This may allow a user to read from a ledger that contains data owned by another tenant.

Recommendations For Apache Pulsar versions prior to 2.8.1, update to version 2.8.1 or later. For Apache Pulsar versions prior to 2.7.4, update to version 2.7.4 or later. For Apache Pulsar versions prior to 2.6.5, update to version 2.6.5 or later.