Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-28098

Good to know:

icon
icon

Date: March 12, 2024

The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

Language: Java

Severity Score

Related Resources (5)

https://pulsar.apache.org/security/CVE-2024-28098/
https://nvd.nist.gov/vuln/detail/CVE-2024-28098
https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z
http://www.openwall.com/lists/oss-security/2024/03/12/12
https://www.mend.io/vulnerability-database/CVE-2024-28098

Severity Score

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

icon

Upgrade Version

Upgrade to version org.apache.pulsar:pulsar-broker:2.10.6,2.11.4,3.0.3,3.1.3,3.2.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us