CVE-2022-34321

CWE-306Missing Authentication5 documents5 sources
Severity
8.2HIGH
EPSS
0.1%
top 83.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache PulsarApache Pulsar
Timeline
PublishedMar 12

Description

Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials. This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0. The known risks include expos

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:LExploitability: 3.9 | Impact: 4.2

Affected Packages3 packages

Mavenorg.apache.pulsar:pulsar-proxy2.6.02.10.6+3
NVDapache/pulsar2.6.02.10.6+3
CVEListV5apache_software_foundation/apache_pulsar2.6.02.10.6+3

🔴Vulnerability Details

3
CVEList
Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint2024-03-12
GHSA
Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint2024-03-12
OSV
Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint2024-03-12

📋Vendor Advisories

1
Red Hat
apache-pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint2024-03-12