CVE-2024-28098
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
12/03/2024
Last modified:
13/02/2025
Description
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.<br />
<br />
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. <br />
<br />
2.10 Apache Pulsar users should upgrade to at least 2.10.6.<br />
2.11 Apache Pulsar users should upgrade to at least 2.11.4.<br />
3.0 Apache Pulsar users should upgrade to at least 3.0.3.<br />
3.1 Apache Pulsar users should upgrade to at least 3.1.3.<br />
3.2 Apache Pulsar users should upgrade to at least 3.2.1.<br />
<br />
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Impact
Base Score 3.x
6.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* | 2.7.1 (including) | 2.10.6 (excluding) |
| cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* | 2.11.0 (including) | 2.11.4 (excluding) |
| cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.0.3 (excluding) |
| cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* | 3.1.0 (including) | 3.1.3 (excluding) |
| cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2024/03/12/12
- https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z
- https://pulsar.apache.org/security/CVE-2024-28098/
- http://www.openwall.com/lists/oss-security/2024/03/12/12
- https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z
- https://pulsar.apache.org/security/CVE-2024-28098/