CVE-2023-37579

CWE-863Incorrect Authorization4 documents4 sources
Severity
6.5MEDIUM
EPSS
0.1%
top 73.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache Pulsar Function WorkerApache Pulsar
Timeline
PublishedJul 12

Description

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another te

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.8

Affected Packages3 packages

NVDapache/pulsar< 2.10.4+1

🔴Vulnerability Details

3
OSV
Apache Pulsar Function Worker Incorrect Authorization vulnerability2023-07-12
CVEList
Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials2023-07-12
GHSA
Apache Pulsar Function Worker Incorrect Authorization vulnerability2023-07-12