CVE-2023-31007

Name of the Vulnerable Software and Affected Versions Apache Pulsar versions through 2.9.4 Apache Pulsar versions from 2.10.0 through 2.10.3 Apache Pulsar version 2.11.0

Description The issue is related to an improper authentication vulnerability in Apache Pulsar Broker, allowing a client to stay connected to a broker after authentication data expires. This can occur if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false, or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.

Recommendations Apache Pulsar version 2.9 users should upgrade to at least version 2.9.5. Apache Pulsar version 2.10 users should upgrade to at least version 2.10.4. Apache Pulsar version 2.11 users should upgrade to at least version 2.11.1. Any users running Apache Pulsar for versions 2.8 and earlier should upgrade to one of the above patched versions.