What is CVE-2023-37579?

CVE-2023-37579 is a vulnerability in Apache Pulsar Function Worker that allows any authenticated user to retrieve a source's configuration or a sink's configuration without authorization.

How does CVE-2023-37579 affect Apache Pulsar?

CVE-2023-37579 affects Apache Pulsar versions before 2.10.4 and 2.11.0.

What is the severity level of CVE-2023-37579?

The severity level of CVE-2023-37579 is high, with a CVSS score of 6.5.

How can I fix CVE-2023-37579?

To fix CVE-2023-37579, update your Apache Pulsar version to 2.10.4 or 2.11.1.

Where can I find more information about CVE-2023-37579?

You can find more information about CVE-2023-37579 on the NIST website (https://nvd.nist.gov/vuln/detail/CVE-2023-37579) and in the Apache Pulsar mailing list (https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz).

Vulnerability/
CVE-2023-37579

high

8.2

CWE

863

11/7/2023

12/7/2023

8/10/2024

CVE-2023-37579: Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials

First published: Tue Jul 11 2023(Updated: )

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability. The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.4. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.1. 3.0 Pulsar Function Worker users are unaffected. Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache Pulsar	<2.10.4
Apache Pulsar	=2.11.0
Apache Pulsar	=2.11.0-candidate_1
Apache Pulsar	=2.11.0-candidate_5
maven/org.apache.pulsar:pulsar-functions-worker	=2.11.0	2.11.1
maven/org.apache.pulsar:pulsar-functions-worker	<2.10.4	2.10.4

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-37579?
CVE-2023-37579 is a vulnerability in Apache Pulsar Function Worker that allows any authenticated user to retrieve a source's configuration or a sink's configuration without authorization.
How does CVE-2023-37579 affect Apache Pulsar?
CVE-2023-37579 affects Apache Pulsar versions before 2.10.4 and 2.11.0.
What is the severity level of CVE-2023-37579?
The severity level of CVE-2023-37579 is high, with a CVSS score of 6.5.
How can I fix CVE-2023-37579?
To fix CVE-2023-37579, update your Apache Pulsar version to 2.10.4 or 2.11.1.
Where can I find more information about CVE-2023-37579?
You can find more information about CVE-2023-37579 on the NIST website (https://nvd.nist.gov/vuln/detail/CVE-2023-37579) and in the Apache Pulsar mailing list (https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz).

collector/oss-sec
alias/CVE-2023-37579
collector/github-advisory-latest
alias/GHSA-74mc-g2xv-pch2
collector/nvd-latest
collector/github-advisory
collector/nvd-index
collector/nvd-cve
agent/type
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
collector/nvd-api
agent/software-canonical-lookup-request
agent/author
agent/severity
agent/references
agent/title
agent/weakness
agent/tags
agent/description
agent/event
collector/mitre-cve
source/MITRE
package-manager/maven
vendor/apache
canonical/apache pulsar
version/apache pulsar/2.11.0
version/apache pulsar/2.11.0-candidate_1
version/apache pulsar/2.11.0-candidate_5