CVE-2023-30428

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.1HIGH

EPSS

0.1%

top 71.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Pulsar Broker Apache Pulsar

Timeline

PublishedJul 12

Description

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affects Apache Pulsar Brokers: from 2.9.0 through 2.9.5, from 2.10.0 before 2.10.4, 2.11.0. The vulnerability is exploitable when an attacker can connect directly to the Pulsar Broker. If an attacker is connecting through the Pulsar Proxy, there is no known way to e…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.8

Affected Packages3 packages

▶CVEListV5apache_software_foundation/apache_pulsar_broker2.10.0 — 2.10.4+2

▶Mavenorg.apache.pulsar:pulsar-broker2.9.0 — 2.10.4+1

▶NVDapache/pulsar2.10.0 — 2.10.4+2

🔴Vulnerability Details

CVEList

Apache Pulsar Broker: Incorrect Authorization Validation for Rest Producer↗2023-07-12

▶

OSV

Apache Pulsar Broker's Rest Producer vulnerable to Incorrect Authorization↗2023-07-12

▶

GHSA

Apache Pulsar Broker's Rest Producer vulnerable to Incorrect Authorization↗2023-07-12

▶