Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-34321

Опубликовано: 12 мар. 2024
Источник: nvd
CVSS3: 8.2
CVSS3: 8.2
EPSS Низкий

Описание

Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.

This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.

The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to "Cluster" by defau

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
Версия от 2.6.0 (включая) до 2.10.6 (исключая)
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
Версия от 2.11.0 (включая) до 2.11.3 (исключая)
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
Версия от 3.0.0 (включая) до 3.0.2 (исключая)
cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*

EPSS

Процентиль: 12%
0.0004
Низкий

8.2 High

CVSS3

8.2 High

CVSS3

Дефекты

CWE-306

Связанные уязвимости

redhat логотип

CVE-2022-34321

CVSS3: 8.2
redhat
почти 2 года назад

Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials. This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0. The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to "Cluster" by defa...

github логотип

GHSA-c35h-w8hj-mm55

CVSS3: 8.2
github
почти 2 года назад

Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint

fstec логотип

BDU:2024-02677

CVSS3: 8.2
fstec
почти 2 года назад

Уязвимость прокси-сервера облачной платформы для распределенного обмена сообщениями и потоковой передачи Apache Pulsar, позволяющая нарушителю раскрыть защищаемую информацию и вызвать отказ в обслуживании

EPSS

Процентиль: 12%
0.0004
Низкий

8.2 High

CVSS3

8.2 High

CVSS3

Дефекты

CWE-306