Vulnerability identifier: #VU88111
Vulnerability risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Pulsar
Server applications /
Conferencing, Collaboration and VoIP solutions
Vendor: Apache Foundation
Description
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to improper authorization for namespace and topic management endpoints. A remote authenticated user with produce or consume permissions can perform unauthorized operations on partitioned topics, such as unloading topics, triggering compaction, create subscriptions and update subscription properties on partitioned topics.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Pulsar: 3.0.0 - 3.0.3, 3.1.0 - 3.1.3, 3.2.0 - 3.2.1, 2.11.0 - 2.11.4, 2.10.0 - 2.10.6, 2.9.0 - 2.9.5, 2.8.0 - 2.8.4, 2.7.1 - 2.7.5
External links
http://pulsar.apache.org/security/CVE-2024-29834/
http://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.