CVE-2022-24280 The Proxy component of Apache Pulsar is vulnerable to TCP/IP connection attempts that originated from the Proxy's IP address.

Update to version 2.10.0 has been released to fix this issue. Incorrect Input Validation Vulnerability in Apache Pulsar Proxy with Remote Code Execution Vulnerability In Apache Pulsar Proxy component, the input validation of the username and password fields is performed in the URLDecode() function. An attacker could exploit this issue to inject arbitrary characters into the username or password fields. An attacker could use this to hijack the authentication flow and gain privileged access to a Pulsar Cluster. This vulnerability has been confirmed to affect Apache Pulsar versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier. Update to version 2.10.0 has been released to fix this issue.

Apache Pulsar Proxy Vulnerability - Technical Details

The vulnerability exists due to the improper input validation of the username and password fields in the URLDecode() function. An attacker could exploit this issue to inject arbitrary characters into the username or password fields. By hijacking the authentication flow, an attacker can gain privileged access to a Pulsar Cluster.

How do I find out if my project is vulnerable?

This issue has been confirmed to affect Apache Pulsar versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier

References https://www.apache.org/security/advisories/CVE-2022-24280.txt

The Update to version 2.10.0 has been released to fix this issue.

How to Fix Incorrect Input Validation Vulnerability in Apache Pulsar Proxy

Apache Pulsar 2.10.0 has been released to fix this issue. Update to version 2.10.0 has been released to fix this issue.

Description of the vulnerability

The version 2.10.0 of Apache Pulsar had an input validation vulnerability that allowed for arbitrary characters to be injected into the username or password fields of the URLDecode() function. This issue has been confirmed to affect versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; and 2-6-4 and earlier releases of Apache Pulsar, as well as earlier versions of Apache Pulsar components not referenced, but which may have shared code in common with Apache Pulsar components, such as Apache Log4J and Apache Thrift APIs

Timeline

Published on: 09/23/2022 10:15:00 UTC
Last modified on: 09/23/2022 19:19:00 UTC

References

• https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24280