CVE-2022-24280

Source
https://cve.org/CVERecord?id=CVE-2022-24280
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24280.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-24280
Aliases
Published
2022-09-23T09:25:12Z
Modified
2026-07-09T02:49:25.201792Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Apache Pulsar Proxy target broker address isn't validated
Details

Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "2.7"
                },
                {
                    "last_affected": "2.7.4"
                },
                {
                    "introduced": "2.8"
                },
                {
                    "last_affected": "2.8.2"
                },
                {
                    "introduced": "2.9"
                },
                {
                    "last_affected": "2.9.1"
                },
                {
                    "introduced": "2.6 and earlier"
                },
                {
                    "last_affected": "2.6.4"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24280.json",
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/apache/pulsar

Affected ranges

Type
GIT
Repo
https://github.com/apache/pulsar
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.6.4"
        },
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.5"
        },
        {
            "introduced": "2.8.0"
        },
        {
            "fixed": "2.8.3"
        },
        {
            "introduced": "2.9.0"
        },
        {
            "fixed": "2.9.2"
        }
    ]
}

Affected versions

v2.*
v2.7.0
v2.7.0-candidate-2
v2.7.1
v2.7.1-candidate-1
v2.7.2
v2.7.2-candidate-1
v2.7.3
v2.7.3-candidate-1
v2.7.3-candidate-2
v2.7.4
v2.7.4-candidate-1
v2.7.4-candidate-2
v2.7.5-candidate-1
v2.7.5-candidate-2
v2.8.0
v2.8.0-candidate-3
v2.8.1
v2.8.1-candidate-1
v2.8.1-candidate-2
v2.8.1-candidate-3
v2.8.2
v2.8.2-candidate-1
v2.8.2-candidate-2
v2.8.3-candidate-1
v2.8.3-candidate-2
v2.8.3-candidate-3
v2.9.0
v2.9.0-candidate-4
v2.9.1
v2.9.1-candidate-1
v2.9.1-candidate-2
v2.9.2-candidate-1
v2.9.2-candidate-2
v2.9.2-candidate-3

Database specific

vanir_signatures_modified
"2026-07-09T02:49:25Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24280.json"
vanir_signatures
[
    {
        "id": "CVE-2022-24280-1150faec",
        "digest": {
            "function_hash": "334133909832352670281283709148382378045",
            "length": 830.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "function": "rollCurrentLedgerIfFull",
            "file": "managed-ledger/src/main/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerImpl.java"
        }
    },
    {
        "id": "CVE-2022-24280-12259f2a",
        "digest": {
            "function_hash": "277975139527168023542583758241860614296",
            "length": 2292.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1",
        "deprecated": false,
        "target": {
            "function": "ClientCredentialFlow::authenticate",
            "file": "pulsar-client-cpp/lib/auth/AuthOauth2.cc"
        }
    },
    {
        "id": "CVE-2022-24280-1abf969c",
        "digest": {
            "function_hash": "206323219314926999660697179267909806489",
            "length": 876.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "function": "testManagedLedgerRollOverIfFull",
            "file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerTest.java"
        }
    },
    {
        "id": "CVE-2022-24280-2c87fbd8",
        "digest": {
            "line_hashes": [
                "154160312887711081720216203795030928836",
                "259407904162056318337932737266663464107",
                "209992782054758199205426001309268686537",
                "316035092639635241298506176875000151126",
                "30138796980367551228252790519323065074",
                "294031615109324692669175784633824036780",
                "289046684978486226835816866450163308359",
                "207204535475596102638439598732694349415",
                "99272397691259295152792445016281095153",
                "302618873481036480017765596682921924289",
                "115375905300734662971306852688239635908",
                "19326125285621650408285153211265558048",
                "64077451847596895621326725771630420193",
                "10869107020897704441096431462571441020",
                "327371471465694513701615001755532131190"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "file": "managed-ledger/src/main/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerImpl.java"
        }
    },
    {
        "id": "CVE-2022-24280-2ee6dcc9",
        "digest": {
            "line_hashes": [
                "319267257102549069279125573260097171472",
                "181933743892123798508765337295400235132",
                "92754089209931631356772168942089821883",
                "221018915626143141731874523206529579161",
                "263626537608417191799289315659130445726",
                "263030387447838232554195498965313845034"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "file": "pulsar-transaction/coordinator/src/test/java/org/apache/pulsar/transaction/coordinator/MLTransactionMetadataStoreTest.java"
        }
    },
    {
        "id": "CVE-2022-24280-3851db0a",
        "digest": {
            "function_hash": "230631252789215877018458624858066698002",
            "length": 1627.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "function": "testGetPositionAfterN",
            "file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerTest.java"
        }
    },
    {
        "id": "CVE-2022-24280-50550ec7",
        "digest": {
            "line_hashes": [
                "120207624169484096622671081914397469250",
                "101971260319415062074048399921716489078",
                "240910195981816740557132896532544311828",
                "59403121929329842244811373960653319349"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "file": "pulsar-broker/src/test/java/org/apache/pulsar/broker/service/CurrentLedgerRolloverIfFullTest.java"
        }
    },
    {
        "id": "CVE-2022-24280-6975a38c",
        "digest": {
            "function_hash": "131250815876920513861381003417420756423",
            "length": 1483.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "function": "testRecoverSequenceId",
            "file": "pulsar-transaction/coordinator/src/test/java/org/apache/pulsar/transaction/coordinator/MLTransactionMetadataStoreTest.java"
        }
    },
    {
        "id": "CVE-2022-24280-70657dd0",
        "digest": {
            "function_hash": "95757137096222225319966188709030463229",
            "length": 916.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "function": "testFindNewestMatchingAfterLedgerRollover",
            "file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java"
        }
    },
    {
        "id": "CVE-2022-24280-92d1ae86",
        "digest": {
            "line_hashes": [
                "138731027338807742257602544720899196755",
                "74687474208210138331018143514760494178",
                "127537404541661293760255813251277450694",
                "269130058048547313450032167743061572422",
                "160586998600921754464278051758511912165",
                "138731027338807742257602544720899196755",
                "74687474208210138331018143514760494178",
                "307704974728367209802353624848416088758",
                "101532560577043034689871438614523044420",
                "109557709976533886429298576965339903191"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1",
        "deprecated": false,
        "target": {
            "file": "pulsar-client-cpp/lib/auth/AuthOauth2.cc"
        }
    },
    {
        "id": "CVE-2022-24280-a5dc5feb",
        "digest": {
            "function_hash": "15938636423471082758689240206286054602",
            "length": 1621.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "function": "testCurrentLedgerRolloverIfFull",
            "file": "pulsar-broker/src/test/java/org/apache/pulsar/broker/service/CurrentLedgerRolloverIfFullTest.java"
        }
    },
    {
        "id": "CVE-2022-24280-bda31429",
        "digest": {
            "function_hash": "37789854401092532278017836056462643620",
            "length": 882.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "function": "testDeletionAfterLedgerClosedAndRetention",
            "file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerTest.java"
        }
    },
    {
        "id": "CVE-2022-24280-c796b921",
        "digest": {
            "line_hashes": [
                "82396761848527172490605639562109462420",
                "15117990753522532365040323290253014152",
                "184107317196857414944435323575629884832",
                "8129644596932064286683234746625810863",
                "193678289944985930566764389106971185144",
                "305585551754407719122661861847043293747",
                "328692063093463157471871189538992777542",
                "205027650064323308178886378365687650844",
                "299922039975374618823056403866083099312",
                "250729039349321721747621065295622134898",
                "64288651924678977610070305871929027367",
                "94211328314150140774215585563225056916",
                "92534970460509984378231960621482979742",
                "114402657113937178002189254793064254698",
                "220747746116493351999202611581313495236",
                "223393345991883108307761585024308993124",
                "186793821112837296293962685450191887885",
                "76481396916666393194759832929551980168",
                "75720642236823668433069411427968376738"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerTest.java"
        }
    },
    {
        "id": "CVE-2022-24280-d5a0aca1",
        "digest": {
            "function_hash": "6999523457529835905655503241226986618",
            "length": 380.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "function": "createLedgerAfterClosed",
            "file": "managed-ledger/src/main/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerImpl.java"
        }
    },
    {
        "id": "CVE-2022-24280-d8195e32",
        "digest": {
            "function_hash": "317344979416470443897730883520672087114",
            "length": 2250.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "function": "internalAsyncAddEntry",
            "file": "managed-ledger/src/main/java/org/apache/bookkeeper/mledger/impl/ManagedLedgerImpl.java"
        }
    },
    {
        "id": "CVE-2022-24280-df50935f",
        "digest": {
            "function_hash": "251125620373411933348266831728513899338",
            "length": 1666.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/apache/pulsar/commit/8eae5b8d572861e49c40d456b1f3cbc5d414afe1",
        "deprecated": false,
        "target": {
            "function": "ClientCredentialFlow::initialize",
            "file": "pulsar-client-cpp/lib/auth/AuthOauth2.cc"
        }
    },
    {
        "id": "CVE-2022-24280-ecd7b6d0",
        "digest": {
            "line_hashes": [
                "66453677095586216932482839317386627991",
                "498727577572754003956535127281791622",
                "254076284666532838880709797479289391009",
                "163002453423232658425084050181201394139"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/apache/pulsar/commit/a3f52891593e093c27b583094a1fbfd09bbbae1a",
        "deprecated": false,
        "target": {
            "file": "managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java"
        }
    }
]