CVE-2024-29834

CWE-863Incorrect AuthorizationCWE-2855 documents5 sources
Severity
6.4MEDIUM
EPSS
0.2%
top 55.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache PulsarApache Pulsar
Timeline
PublishedApr 2

Description

This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages3 packages

NVDapache/pulsar3.0.03.0.4+4
Mavenorg.apache.pulsar:pulsar-broker3.0.03.0.4+4
CVEListV5apache_software_foundation/apache_pulsar3.0.03.0.4+4

🔴Vulnerability Details

3
CVEList
Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints2024-04-02
OSV
Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints2024-04-02
GHSA
Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints2024-04-02

📋Vendor Advisories

1
Red Hat
apache-pulsar: improper authorization for namespace and topic management endpoints2024-04-02