Vulnerability DatabaseCVE-2024-28098
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-28098
Published:March 12, 2024
Updated:May 23, 2026
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Affected Packages
org.apache.pulsar:pulsar-broker (JAVA):
Affected version(s) =3.2.0 <3.2.1
Fix Suggestion:
Update to version 3.2.1
org.apache.pulsar:pulsar-broker (JAVA):
Affected version(s) >=2.11.0 <2.11.4
Fix Suggestion:
Update to version 2.11.4
org.apache.pulsar:pulsar-broker (JAVA):
Affected version(s) >=3.0.0 <3.0.3
Fix Suggestion:
Update to version 3.0.3
org.apache.pulsar:pulsar-broker (JAVA):
Affected version(s) >=3.1.0 <3.1.3
Fix Suggestion:
Update to version 3.1.3
org.apache.pulsar:pulsar-broker (JAVA):
Affected version(s) >=2.7.1 <2.10.6
Fix Suggestion:
Update to version 2.10.6
Related Resources (6)
https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z
https://github.com/apache/pulsar
https://pulsar.apache.org/security/CVE-2024-28098/
http://www.openwall.com/lists/oss-security/2024/03/12/12
https://nvd.nist.gov/vuln/detail/CVE-2024-28098
https://pulsar.apache.org/security/CVE-2024-28098
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Incorrect Authorization
CWE-863
EPSS
Base Score:
0.23