Main Vulnerability Database SB2024040402

SB2024040402 - Improper authorization in Apache Pulsar

Published: April 4, 2024

Security Bulletin ID SB2024040402

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper authorization (CVE-ID: CVE-2024-29834)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to improper authorization for namespace and topic management endpoints. A remote authenticated user with produce or consume permissions can perform unauthorized operations on partitioned topics, such as unloading topics, triggering compaction, create subscriptions and update subscription properties on partitioned topics.

Remediation

Install update from vendor's website.

References

https://pulsar.apache.org/security/CVE-2024-29834/
https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5