CVE-2021-41571

In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:2.8.0:*:*:*:*:*:*:*

History

21 Nov 2024, 06:26

Type Values Removed Values Added
References () https://github.com/apache/pulsar/issues/11814 - Exploit, Issue Tracking, Patch, Third Party Advisory () https://github.com/apache/pulsar/issues/11814 - Exploit, Issue Tracking, Patch, Third Party Advisory
References () https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr - Mailing List, Vendor Advisory () https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr - Mailing List, Vendor Advisory
References () https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId - Patch, Vendor Advisory () https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId - Patch, Vendor Advisory

17 Jul 2023, 15:18

Type Values Removed Values Added
CWE CWE-20 CWE-863

09 Feb 2022, 15:47

Type Values Removed Values Added
CPE cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:2.8.0:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.0
v3 : 6.5
CWE CWE-20
References (MISC) https://github.com/apache/pulsar/issues/11814 - (MISC) https://github.com/apache/pulsar/issues/11814 - Exploit, Issue Tracking, Patch, Third Party Advisory
References (MISC) https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr - (MISC) https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr - Mailing List, Vendor Advisory
References (MISC) https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId - (MISC) https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId - Patch, Vendor Advisory

01 Feb 2022, 13:56

Type Values Removed Values Added
New CVE

Information

Published : 2022-02-01 13:15

Updated : 2024-11-21 06:26


NVD link : CVE-2021-41571

Mitre link : CVE-2021-41571

CVE.ORG link : CVE-2021-41571


JSON object : View

Products Affected

apache

  • pulsar
CWE
CWE-863

Incorrect Authorization