CVE-2023-30428

Name of the Vulnerable Software and Affected Versions Apache Pulsar Broker versions 2.9.0 through 2.9.5 Apache Pulsar Broker versions 2.10.0 through 2.10.3 Apache Pulsar Broker version 2.11.0

Description The issue is related to an Incorrect Authorization vulnerability in Apache Pulsar Broker's Rest Producer, allowing an authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This can be exploited when an attacker connects directly to the Pulsar Broker. The vulnerability poses two known risks: producing garbage messages to any topic in the cluster and influencing topic settings for other tenants, potentially leading to exfiltration and/or deletion of messages.

Recommendations Apache Pulsar Broker versions 2.9.0 through 2.9.5 should upgrade to one of the patched versions. Apache Pulsar Broker versions 2.10.0 through 2.10.3 should upgrade to at least version 2.10.4. Apache Pulsar Broker version 2.11.0 should upgrade to at least version 2.11.1.