CVE-2024-28098: Apache Pulsar: Improper Authorization For Topic-Level Policy Management
First published: Tue Mar 12 2024(Updated: )
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.pulsar:pulsar-broker | >=2.7.1<=2.10.5 | 2.10.6 |
| maven/org.apache.pulsar:pulsar-broker | >=2.11.0<=2.11.3 | 2.11.4 |
| maven/org.apache.pulsar:pulsar-broker | >=3.0.0<=3.0.2 | 3.0.3 |
| maven/org.apache.pulsar:pulsar-broker | >=3.1.0<=3.1.2 | 3.1.3 |
| maven/org.apache.pulsar:pulsar-broker | >=3.2.0<3.2.1 | 3.2.1 |
| Apache Pulsar | >=2.7.1<2.10.6 | |
| Apache Pulsar | >=2.11.0<2.11.4 | |
| Apache Pulsar | >=3.0.0<3.0.3 | |
| Apache Pulsar | =3.2.0 | |
| >=2.7.1<2.10.6 | ||
| >=2.11.0<2.11.4 | ||
| >=3.0.0<3.0.3 | ||
| =3.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z
- https://pulsar.apache.org/security/CVE-2024-28098/
- https://nvd.nist.gov/vuln/detail/CVE-2024-28098
- https://pulsar.apache.org/security/CVE-2024-28098
- https://github.com/advisories/GHSA-g627-r579-rw35 (Advisory)
- http://www.openwall.com/lists/oss-security/2024/03/12/12
Frequently Asked Questions
What is the severity of CVE-2024-28098?
The severity of CVE-2024-28098 is significant as it allows unauthorized modification of topic-level policies by authenticated users with limited permissions.
How do I fix CVE-2024-28098?
To fix CVE-2024-28098, you should upgrade to the patched versions of Apache Pulsar: 2.10.6, 2.11.4, 3.0.3, 3.1.3, or 3.2.1.
Who is affected by CVE-2024-28098?
CVE-2024-28098 affects authenticated users of Apache Pulsar with only produce or consume permissions in versions prior to the patched releases.
What type of policies can be modified due to CVE-2024-28098?
CVE-2024-28098 allows modification of critical topic-level policies, including retention, TTL, and offloading settings.
What roles should have management permissions in Apache Pulsar to avoid CVE-2024-28098?
Management operations in Apache Pulsar should be restricted to users with the tenant admin role or super user role to prevent exploitation of CVE-2024-28098.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-28098
- agent/title
- agent/first-publish-date
- agent/weakness
- agent/type
- agent/description
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g627-r579-rw35
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/tags
- agent/source
- collector/nvd-api
- agent/softwarecombine
- agent/severity
- package-manager/maven
- vendor/apache
- canonical/apache pulsar
- version/apache pulsar/2.7.1
- version/apache pulsar/2.11.0
- version/apache pulsar/3.0.0
- version/apache pulsar/3.1.0
- version/apache pulsar/3.2.0