CVE-2024-28098

CWE-863Incorrect Authorization5 documents5 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 54.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache PulsarApache Pulsar
Timeline
PublishedMar 12

Description

The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users s

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages3 packages

NVDapache/pulsar2.7.12.10.6+4
Mavenorg.apache.pulsar:pulsar-broker3.2.03.2.1+4
CVEListV5apache_software_foundation/apache_pulsar2.7.12.10.6+4

🔴Vulnerability Details

3
OSV
Apache Pulsar: Improper Authorization For Topic-Level Policy Management2024-03-12
CVEList
Apache Pulsar: Improper Authorization For Topic-Level Policy Management2024-03-12
GHSA
Apache Pulsar: Improper Authorization For Topic-Level Policy Management2024-03-12

📋Vendor Advisories

1
Red Hat
apache-pulsar: Improper Authorization For Topic-Level Policy Management2024-03-12