Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pulsar Admin API allows access to data from other tenants using getMessageById API
Vulnerability Description
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.
CVSS Information
N/A
Vulnerability Type
授权机制不正确
Vulnerability Title
Apache Pulsar 输入验证错误漏洞
Vulnerability Description
Apache Pulsar是美国阿帕奇(Apache)基金会的一个用于云环境种,集消息、存储、轻量化函数式计算为一体的分布式消息流平台。该软件支持多租户、持久化存储、多机房跨区域数据复制,具有强一致性、高吞吐以及低延时的高可扩展流数据存储特性。 Apache Pulsar 存在输入验证错误漏洞,该漏洞源于网络系统或产品未对输入的数据进行正确的验证。以下产品及版本受到影响:Apache Pulsar 2.8.0及之前版本,2.7.3版本及之前版本,2.6.4版本及之前版本。
CVSS Information
N/A
Vulnerability Type
N/A