What is CVE-2023-31007?

CVE-2023-31007 is an improper authentication vulnerability in Apache Pulsar Broker.

What is the severity of CVE-2023-31007?

CVE-2023-31007 has a severity score of 6.5 (Medium).

How can I fix CVE-2023-31007?

To fix CVE-2023-31007, update your Apache Pulsar Broker to version 2.11.1 or 2.10.4.

Where can I find more information about CVE-2023-31007?

You can find more information about CVE-2023-31007 on the NIST website, Apache mailing list, and GitHub advisory.

Vulnerability/
CVE-2023-31007

medium

6.5

CWE

287

11/7/2023

12/7/2023

2/8/2024

CVE-2023-31007: Apache Pulsar: Broker does not always disconnect client when authentication data expires

Q: How does CVE-2023-31007 affect Apache Pulsar Broker?

CVE-2023-31007 allows a client to stay connected to a broker after authentication data expires.

First published: Tue Jul 11 2023(Updated: )

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false. This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0. 2.9 Pulsar Broker users should upgrade to at least 2.9.5. 2.10 Pulsar Broker users should upgrade to at least 2.10.4. 2.11 Pulsar Broker users should upgrade to at least 2.11.1. 3.0 Pulsar Broker users are unaffected. Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache Pulsar	=2.11.0
Apache Pulsar	=2.11.0-candidate_1
Apache Pulsar	=2.11.0-candidate_5
Apache Pulsar	>=2.10.0<=2.10.3
Apache Pulsar	<2.9.5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-31007?
CVE-2023-31007 is an improper authentication vulnerability in Apache Pulsar Broker.
How does CVE-2023-31007 affect Apache Pulsar Broker?
CVE-2023-31007 allows a client to stay connected to a broker after authentication data expires.
What is the severity of CVE-2023-31007?
CVE-2023-31007 has a severity score of 6.5 (Medium).
How can I fix CVE-2023-31007?
To fix CVE-2023-31007, update your Apache Pulsar Broker to version 2.11.1 or 2.10.4.
Where can I find more information about CVE-2023-31007?
You can find more information about CVE-2023-31007 on the NIST website, Apache mailing list, and GitHub advisory.

collector/oss-sec
alias/CVE-2023-31007
collector/github-advisory-latest
alias/GHSA-47r2-phr8-m8cp
collector/nvd-latest
collector/github-advisory
collector/nvd-index
collector/nvd-cve
agent/type
agent/first-publish-date
agent/last-modified-date
agent/softwarecombine
collector/nvd-api
agent/software-canonical-lookup-request
agent/author
agent/severity
agent/references
agent/title
agent/weakness
agent/tags
agent/description
agent/event
collector/mitre-cve
source/MITRE
package-manager/maven
vendor/apache
canonical/apache pulsar
version/apache pulsar/2.11.0
version/apache pulsar/2.11.0-candidate_1
version/apache pulsar/2.11.0-candidate_5
version/apache pulsar/2.10.0
version/apache pulsar/2.10.3

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.