Apache Pulsar

20 CVEs affecting Apache Pulsar. Latest disclosed: 2025-04-09. Critical: 2, High: 9.

Top CVEs affecting Apache Pulsar
CVESeverityScorePublishedSummary
CVE-2021-22160Critical9.82021-05-26If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorith…
CVE-2023-30429Critical9.62023-07-12Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client…
CVE-2024-27894High8.52024-03-12The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a U…
CVE-2024-27135High8.52024-03-12Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, out…
CVE-2024-27317High8.42024-03-12In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Wo…
CVE-2022-34321High8.22024-03-12Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable…
CVE-2023-37579High8.22023-07-12Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0…
CVE-2023-30428High8.22023-07-12Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to…
CVE-2022-33684High8.12022-11-04The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureC…
CVE-2023-37544High7.52023-12-20Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This is…
CVE-2023-51437High7.42024-02-07Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signa…
CVE-2025-30677Medium6.52025-04-09Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Ad…
CVE-2022-24280Medium6.52022-09-23Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsa…
CVE-2021-41571Medium6.52022-02-01In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-messa…
CVE-2024-29834Medium6.42024-04-02This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading t…
CVE-2024-28098Medium6.42024-03-12The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading se…
CVE-2022-33683Medium5.92022-09-23Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is di…
CVE-2022-33682Medium5.92022-09-23TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client…
CVE-2022-33681Medium5.92022-09-23Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from th…
CVE-2023-31007Unrated2023-07-12Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication dat…