漏洞标题
Apache Pulsar Function Worker: 函数 worker 的不正确授权可以泄露Sink/Source 密钥
漏洞描述信息
Apache Pulsar 功能工作者:功能工作者的授权不正确可能会泄露 Sink/Source凭据
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
漏洞类别
授权机制不正确
漏洞标题
Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials
漏洞描述信息
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.
This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.
Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.
The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
漏洞类别
授权机制不正确
漏洞标题
Apache Pulsar 安全漏洞
漏洞描述信息
Apache Pulsar是美国阿帕奇(Apache)基金会的一个用于云环境种,集消息、存储、轻量化函数式计算为一体的分布式消息流平台。该软件支持多租户、持久化存储、多机房跨区域数据复制,具有强一致性、高吞吐以及低延时的高可扩展流数据存储特性。 Apache Pulsar 存在安全漏洞,该漏洞源于许多源和接收器在配置中包含凭据,这可能会导致凭据泄露。
CVSS信息
N/A
漏洞类别
其他