CVE-2023-31007
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-287
Autenticación incorrecta
Fecha de publicación:
12/07/2023
Última modificación:
20/07/2023
Descripción
*** Pendiente de traducción *** Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.<br />
<br />
This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.<br />
<br />
2.9 Pulsar Broker users should upgrade to at least 2.9.5.<br />
2.10 Pulsar Broker users should upgrade to at least 2.10.4.<br />
2.11 Pulsar Broker users should upgrade to at least 2.11.1.<br />
3.0 Pulsar Broker users are unaffected.<br />
Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.<br />
Impacto
Puntuación base 3.x
6.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* | 2.9.5 (excluyendo) | |
| cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* | 2.10.0 (incluyendo) | 2.10.3 (incluyendo) |
| cpe:2.3:a:apache:pulsar:2.11.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:pulsar:2.11.0:candidate_1:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:pulsar:2.11.0:candidate_5:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página