#VU87558 Missing Authorization in Apache Pulsar
Vulnerability identifier: #VU87558
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-862
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Pulsar
Server applications /
Conferencing, Collaboration and VoIP solutions
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to missing authorization at the "/proxy-stats" endpoint. A remote non-authenticated attacker can use the endpoint to view detailed statistics about live connections and modify the logging level of proxied connections.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Pulsar: 2.10.0 - 2.10.5, 3.1.0, 3.0.0 - 3.0.1, 2.11.0 - 2.11.2, 2.9.0 - 2.9.5, 2.8.0 - 2.8.4, 2.7.0 - 2.7.5, 2.6.0 - 2.6.4
External links
http://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8
http://pulsar.apache.org/security/CVE-2022-34321/
http://lists.apache.org/thread/0j7n7cos96ys701cg5bj0ck2gq92p1qk
http://lists.apache.org/thread/0f49dyo45ccdplwvogtzm5ddrxcnwrz5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
