Apache Pulsar Broker Improper Auth after Expiry - Fixed in 2.9.5, 2.10.4, 2.11.1
CVE-2023-31007 Published on July 12, 2023
Apache Pulsar: Broker does not always disconnect client when authentication data expires
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.
This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.
2.9 Pulsar Broker users should upgrade to at least 2.9.5.
2.10 Pulsar Broker users should upgrade to at least 2.10.4.
2.11 Pulsar Broker users should upgrade to at least 2.11.1.
3.0 Pulsar Broker users are unaffected.
Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.
Vulnerability Analysis
CVE-2023-31007 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity and availability.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2023-31007 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2023-31007
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-31007 are published in Apache Plusar:
Affected Versions
Apache Software Foundation Apache Pulsar:- Before 2.9.5 is affected.
- Version 2.10.0, <= 2.10.3 is affected.
- Version 2.11.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.