CVE-2023-30429

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGH

EPSS

0.1%

top 77.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Pulsar Apache Pulsar

Timeline

PublishedJul 12

Description

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especia…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:NExploitability: 3.1 | Impact: 5.8

Affected Packages3 packages

▶CVEListV5apache_software_foundation/apache_pulsar< 2.10.4+1

▶NVDapache/pulsar< 2.10.4+1

▶Mavenorg.apache.pulsar:pulsar2.11.0 — 2.11.1+1

🔴Vulnerability Details

GHSA

Apache Pulsar Incorrect Authorization vulnerability↗2023-07-12

▶

OSV

Apache Pulsar Incorrect Authorization vulnerability↗2023-07-12

▶

CVEList

Apache Pulsar: Incorrect Authorization for Function Worker when using mTLS Authentication through Pulsar Proxy↗2023-07-12

▶