CVE-2022-24280

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-24280

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24280.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-24280

Aliases

GHSA-3mg9-m3f6-v7fq

Published

2022-09-23T10:15:10.087Z

Modified

2025-11-20T12:04:12.784469Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.

References

https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v

Affected packages

Git / github.com/apache/pulsar

Affected ranges

Type: GIT
Repo: https://github.com/apache/pulsar
Events: Introduced

b0c45952d063b754e387b3f9cbff279b9885b107

Fixed

8eae5b8d572861e49c40d456b1f3cbc5d414afe1

Affected versions

v2.*

v2.7.0

v2.7.0-candidate-2

v2.7.1

v2.7.1-candidate-1

v2.7.2

v2.7.2-candidate-1

v2.7.3

v2.7.3-candidate-1

v2.7.3-candidate-2

v2.7.4

v2.7.4-candidate-1

v2.7.4-candidate-2

v2.7.5-candidate-1

v2.7.5-candidate-2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24280.json"

vanir_signatures

[
    {
        "deprecated": false,
        "id": "CVE-2022-24280-12259f2a",
        "digest": {
            "length": 2292.0,
            "function_hash": "277975139527168023542583758241860614296"
        },
        "source": "https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "pulsar-client-cpp/lib/auth/AuthOauth2.cc",
            "function": "ClientCredentialFlow::authenticate"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2022-24280-92d1ae86",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "138731027338807742257602544720899196755",
                "74687474208210138331018143514760494178",
                "127537404541661293760255813251277450694",
                "269130058048547313450032167743061572422",
                "160586998600921754464278051758511912165",
                "138731027338807742257602544720899196755",
                "74687474208210138331018143514760494178",
                "307704974728367209802353624848416088758",
                "101532560577043034689871438614523044420",
                "109557709976533886429298576965339903191"
            ]
        },
        "source": "https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "pulsar-client-cpp/lib/auth/AuthOauth2.cc"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2022-24280-df50935f",
        "digest": {
            "length": 1666.0,
            "function_hash": "251125620373411933348266831728513899338"
        },
        "source": "https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "pulsar-client-cpp/lib/auth/AuthOauth2.cc",
            "function": "ClientCredentialFlow::initialize"
        }
    }
]