Versio.io

CVE-2021-41571

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 01-02-2022 02:15
Last modified: - 09-02-2022 04:47
Total changes: - 2

Description

In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Low
Attack complexity
Network
Attack vector
None
Availability
High
Confidentiality
None
Integrity
Low
Privileges required
Unchanged
Scope
None
User interaction
6.5
Base score
2.8
3.6
Exploitability score
Impact score
 

Verification logic

OR
vendor=apache AND product=pulsar AND versionStartIncluding=2.6.0 AND versionEndExcluding=2.6.4
vendor=apache AND product=pulsar AND versionStartIncluding=2.7.0 AND versionEndExcluding=2.7.3
vendor=apache AND product=pulsar AND version=2.8.0
 

Reference

 


Keywords

NVD

 

CVE-2021-41571

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.