GHSA-3mg9-m3f6-v7fq

Source
https://github.com/advisories/GHSA-3mg9-m3f6-v7fq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-3mg9-m3f6-v7fq/GHSA-3mg9-m3f6-v7fq.json
Aliases
Published
2022-09-25T00:00:18Z
Modified
2023-11-08T04:08:30.312432Z
Details

Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.

References

Affected packages

Maven / org.apache.pulsar:pulsar

Package

Name
org.apache.pulsar:pulsar

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
2.7.5

Affected versions

1.*

1.19.0-incubating
1.20.0-incubating
1.21.0-incubating
1.22.0-incubating
1.22.1-incubating

2.*

2.0.0-rc1-incubating
2.0.1-incubating
2.1.0-incubating
2.1.1-incubating
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4

Maven / org.apache.pulsar:pulsar

Package

Name
org.apache.pulsar:pulsar

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.3

Affected versions

2.*

2.8.0
2.8.1
2.8.2

Database specific

{
    "last_known_affected_version_range": "< 2.8.2"
}

Maven / org.apache.pulsar:pulsar

Package

Name
org.apache.pulsar:pulsar

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.9.0
Fixed
2.9.2

Affected versions

2.*

2.9.0
2.9.1

Database specific

{
    "last_known_affected_version_range": "< 2.9.1"
}