Security

Security Policy

The Pulsar community follows the ASF security vulnerability handling process.

To report a new vulnerability you have discovered, please follow the ASF security vulnerability reporting process. To report a vulnerability for Pulsar, contact the Apache Security Team. When reporting a vulnerability to [email protected], you can copy your email to [email protected] to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list.

It is the responsibility of the security vulnerability handling project team (Apache Pulsar PMC in most cases) to make public security vulnerability announcements. You can follow announcements on the [email protected] mailing list. For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.

Security advisories

Please subscribe to the [email protected] mailing list to receive Apache Pulsar security advisories when they are published. For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.

2024

2024-10-04 Apache Pulsar 3.3.2 released with important security fix for CVE-2024-47561
2024-10-04 Apache Pulsar 3.0.7 released with important security fix for CVE-2024-47561
2024-10-04 Expediting Pulsar releases 3.0.7 and 3.3.2 due to critical RCE vulnerability in Avro Java SDK <1.11.4, CVE-2024-47561
2024-04-02 CVE-2024-29834 Improper Authorization For Namespace and Topic Management Endpoints
2024-03-12 CVE-2022-34321 Improper Authentication for Pulsar Proxy Statistics Endpoint
2024-03-12 CVE-2024-27135 Improper Input Validation in Pulsar Function Worker allows Remote Code Execution
2024-03-12 CVE-2024-27317 Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification
2024-03-12 CVE-2024-27894 Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying
2024-03-12 CVE-2024-28098 Improper Authorization For Topic-Level Policy Management
2024-02-07 CVE-2023-51437 Timing attack in SASL token signature verification

2023

2023-12-20 CVE-2023-37544 Improper Authentication for WebSocket Proxy Endpoint Allows DoS
2023-07-13 CVE-2023-31007 Broker does not always disconnect client when authentication data expires
2023-07-12 CVE-2023-30428 Incorrect Authorization Validation for Rest Producer
2023-07-12 CVE-2023-30429 Incorrect Authorization for Function Worker when using mTLS Authentication through Pulsar Proxy
2023-07-12 CVE-2023-37579 Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials

2022

2022-01-31 CVE-2021-41571 Pulsar Admin API allows access to data from other tenants using getMessageById API
2022-09-22 CVE-2022-24280 Apache Pulsar Proxy target broker address isn't validated
2022-09-22 CVE-2022-33681 Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM
2022-09-22 CVE-2022-33682 Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack
2022-09-22 CVE-2022-33683 Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack
2022-11-03 CVE-2022-33684 Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation