CVE-2021-41571Incorrect Authorization in Apache Pulsar

CWE-863Incorrect AuthorizationCWE-1220Insufficient Granularity of Access ControlCWE-20Improper Input Validation5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
1.0%
top 23.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache PulsarApache Software Foundation Apache Pulsar
Timeline
PublishedFeb 1
Latest updateFeb 2

Description

In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDapache/pulsar2.6.02.6.4+2
CVEListV5apache_software_foundation/apache_pulsarApache Pulsar2.8.0

Patches

Patch: github.comPatch: pulsar.apache.orgPatch: github.com

🔴Vulnerability Details

3
OSV
Improper Input Validation in Apache Pulsar2022-02-02
GHSA
Improper Input Validation in Apache Pulsar2022-02-02
CVEList
Pulsar Admin API allows access to data from other tenants using getMessageById API2022-02-01

📋Vendor Advisories

1
Red Hat
pulsar: Pulsar Admin API allows access to data from other tenants using getMessageById API2022-01-31
CVE-2021-41571 — Incorrect Authorization in Apache | cvebase