CVE-2023-37579

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.<br /> <br /> This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.<br /> <br /> Any authenticated user can retrieve a source&amp;#39;s configuration or a sink&amp;#39;s configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant&amp;#39;s sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.<br /> <br /> The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.<br /> <br /> 2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.<br /> 2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.<br /> 3.0 Pulsar Function Worker users are unaffected.<br /> Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.<br /> <br />