CVE-2023-51437

CWE-203 CWE-200 — Information Exposure4 documents4 sources

Severity

7.4HIGH

EPSS

0.1%

top 73.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Pulsar Apache Software Foundation Apache Pulsar

Timeline

PublishedFeb 7

Description

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file. Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsa…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.apache.pulsar:pulsar-broker-auth-sasl3.0.0 — 3.0.2+2

▶NVDapache/pulsar2.11.0 — 2.11.3+3

▶CVEListV5apache_software_foundation/apache_pulsar2.11.0 — 2.11.2+3

🔴Vulnerability Details

CVEList

Apache Pulsar: Timing attack in SASL token signature verification↗2024-02-07

▶

GHSA

Apache Pulsar SASL Authentication Provider observable timing discrepancy vulnerability↗2024-02-07

▶

OSV

Apache Pulsar SASL Authentication Provider observable timing discrepancy vulnerability↗2024-02-07

▶