Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "2.7"
},
{
"last_affected": "2.7.4"
},
{
"introduced": "2.8"
},
{
"last_affected": "2.8.2"
},
{
"introduced": "2.9"
},
{
"last_affected": "2.9.1"
},
{
"introduced": "2.6 and earlier"
},
{
"last_affected": "2.6.4"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24280.json",
"cna_assigner": "apache",
"cwe_ids": [
"CWE-20"
]
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "2.6.4"
},
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.5"
},
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.3"
},
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.2"
}
]
}"2026-07-09T02:49:25Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24280.json"
[
{
"id": "CVE-2022-24280-1150faec",
"digest": {
"function_hash": "334133909832352670281283709148382378045",
"length": 830.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"function": "rollCurrentLedgerIfFull",
"file": "managed-ledger/src/main/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerImpl.java"
}
},
{
"id": "CVE-2022-24280-12259f2a",
"digest": {
"function_hash": "277975139527168023542583758241860614296",
"length": 2292.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1",
"deprecated": false,
"target": {
"function": "ClientCredentialFlow::authenticate",
"file": "pulsar-client-cpp/lib/auth/AuthOauth2.cc"
}
},
{
"id": "CVE-2022-24280-1abf969c",
"digest": {
"function_hash": "206323219314926999660697179267909806489",
"length": 876.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"function": "testManagedLedgerRollOverIfFull",
"file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerTest.java"
}
},
{
"id": "CVE-2022-24280-2c87fbd8",
"digest": {
"line_hashes": [
"154160312887711081720216203795030928836",
"259407904162056318337932737266663464107",
"209992782054758199205426001309268686537",
"316035092639635241298506176875000151126",
"30138796980367551228252790519323065074",
"294031615109324692669175784633824036780",
"289046684978486226835816866450163308359",
"207204535475596102638439598732694349415",
"99272397691259295152792445016281095153",
"302618873481036480017765596682921924289",
"115375905300734662971306852688239635908",
"19326125285621650408285153211265558048",
"64077451847596895621326725771630420193",
"10869107020897704441096431462571441020",
"327371471465694513701615001755532131190"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"file": "managed-ledger/src/main/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerImpl.java"
}
},
{
"id": "CVE-2022-24280-2ee6dcc9",
"digest": {
"line_hashes": [
"319267257102549069279125573260097171472",
"181933743892123798508765337295400235132",
"92754089209931631356772168942089821883",
"221018915626143141731874523206529579161",
"263626537608417191799289315659130445726",
"263030387447838232554195498965313845034"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"file": "pulsar-transaction/coordinator/src/test/java/org/apache/pulsar/transaction/coordinator/MLTransactionMetadataStoreTest.java"
}
},
{
"id": "CVE-2022-24280-3851db0a",
"digest": {
"function_hash": "230631252789215877018458624858066698002",
"length": 1627.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"function": "testGetPositionAfterN",
"file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerTest.java"
}
},
{
"id": "CVE-2022-24280-50550ec7",
"digest": {
"line_hashes": [
"120207624169484096622671081914397469250",
"101971260319415062074048399921716489078",
"240910195981816740557132896532544311828",
"59403121929329842244811373960653319349"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"file": "pulsar-broker/src/test/java/org/apache/pulsar/broker/service/CurrentLedgerRolloverIfFullTest.java"
}
},
{
"id": "CVE-2022-24280-6975a38c",
"digest": {
"function_hash": "131250815876920513861381003417420756423",
"length": 1483.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"function": "testRecoverSequenceId",
"file": "pulsar-transaction/coordinator/src/test/java/org/apache/pulsar/transaction/coordinator/MLTransactionMetadataStoreTest.java"
}
},
{
"id": "CVE-2022-24280-70657dd0",
"digest": {
"function_hash": "95757137096222225319966188709030463229",
"length": 916.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"function": "testFindNewestMatchingAfterLedgerRollover",
"file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java"
}
},
{
"id": "CVE-2022-24280-92d1ae86",
"digest": {
"line_hashes": [
"138731027338807742257602544720899196755",
"74687474208210138331018143514760494178",
"127537404541661293760255813251277450694",
"269130058048547313450032167743061572422",
"160586998600921754464278051758511912165",
"138731027338807742257602544720899196755",
"74687474208210138331018143514760494178",
"307704974728367209802353624848416088758",
"101532560577043034689871438614523044420",
"109557709976533886429298576965339903191"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1",
"deprecated": false,
"target": {
"file": "pulsar-client-cpp/lib/auth/AuthOauth2.cc"
}
},
{
"id": "CVE-2022-24280-a5dc5feb",
"digest": {
"function_hash": "15938636423471082758689240206286054602",
"length": 1621.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"function": "testCurrentLedgerRolloverIfFull",
"file": "pulsar-broker/src/test/java/org/apache/pulsar/broker/service/CurrentLedgerRolloverIfFullTest.java"
}
},
{
"id": "CVE-2022-24280-bda31429",
"digest": {
"function_hash": "37789854401092532278017836056462643620",
"length": 882.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"function": "testDeletionAfterLedgerClosedAndRetention",
"file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerTest.java"
}
},
{
"id": "CVE-2022-24280-c796b921",
"digest": {
"line_hashes": [
"82396761848527172490605639562109462420",
"15117990753522532365040323290253014152",
"184107317196857414944435323575629884832",
"8129644596932064286683234746625810863",
"193678289944985930566764389106971185144",
"305585551754407719122661861847043293747",
"328692063093463157471871189538992777542",
"205027650064323308178886378365687650844",
"299922039975374618823056403866083099312",
"250729039349321721747621065295622134898",
"64288651924678977610070305871929027367",
"94211328314150140774215585563225056916",
"92534970460509984378231960621482979742",
"114402657113937178002189254793064254698",
"220747746116493351999202611581313495236",
"223393345991883108307761585024308993124",
"186793821112837296293962685450191887885",
"76481396916666393194759832929551980168",
"75720642236823668433069411427968376738"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerTest.java"
}
},
{
"id": "CVE-2022-24280-d5a0aca1",
"digest": {
"function_hash": "6999523457529835905655503241226986618",
"length": 380.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"function": "createLedgerAfterClosed",
"file": "managed-ledger/src/main/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerImpl.java"
}
},
{
"id": "CVE-2022-24280-d8195e32",
"digest": {
"function_hash": "317344979416470443897730883520672087114",
"length": 2250.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"function": "internalAsyncAddEntry",
"file": "managed-ledger/src/main/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerImpl.java"
}
},
{
"id": "CVE-2022-24280-df50935f",
"digest": {
"function_hash": "251125620373411933348266831728513899338",
"length": 1666.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1",
"deprecated": false,
"target": {
"function": "ClientCredentialFlow::initialize",
"file": "pulsar-client-cpp/lib/auth/AuthOauth2.cc"
}
},
{
"id": "CVE-2022-24280-ecd7b6d0",
"digest": {
"line_hashes": [
"66453677095586216932482839317386627991",
"498727577572754003956535127281791622",
"254076284666532838880709797479289391009",
"163002453423232658425084050181201394139"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
"deprecated": false,
"target": {
"file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java"
}
}
]