CVE-2023-31007

CWE-287 — Improper Authentication4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 78.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Pulsar Apache Pulsar

Timeline

PublishedJul 12

Description

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false. This issue affects Apache Pulsar: through 2.9.4, from …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:NExploitability: 2.8 | Impact: 0.0

Affected Packages3 packages

▶Mavenorg.apache.pulsar:pulsar-broker2.9.0 — 2.10.4+1

▶CVEListV5apache_software_foundation/apache_pulsar2.10.0 — 2.10.3+2

▶NVDapache/pulsar2.10.0 — 2.10.3+2

🔴Vulnerability Details

GHSA

Apache Pulsar Broker Improper Authentication vulnerability↗2023-07-12

▶

OSV

Apache Pulsar Broker Improper Authentication vulnerability↗2023-07-12

▶

CVEList

Apache Pulsar: Broker does not always disconnect client when authentication data expires↗2023-07-12

▶