Apache Pulsar
20 CVEs affecting Apache Pulsar. Latest disclosed: 2025-04-09. Critical: 2, High: 9.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2021-22160 | Critical | 9.8 | 2021-05-26 | If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorith… |
CVE-2023-30429 | Critical | 9.6 | 2023-07-12 | Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client… |
CVE-2024-27894 | High | 8.5 | 2024-03-12 | The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a U… |
CVE-2024-27135 | High | 8.5 | 2024-03-12 | Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, out… |
CVE-2024-27317 | High | 8.4 | 2024-03-12 | In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Wo… |
CVE-2022-34321 | High | 8.2 | 2024-03-12 | Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable… |
CVE-2023-37579 | High | 8.2 | 2023-07-12 | Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0… |
CVE-2023-30428 | High | 8.2 | 2023-07-12 | Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to… |
CVE-2022-33684 | High | 8.1 | 2022-11-04 | The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureC… |
CVE-2023-37544 | High | 7.5 | 2023-12-20 | Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This is… |
CVE-2023-51437 | High | 7.4 | 2024-02-07 | Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signa… |
CVE-2025-30677 | Medium | 6.5 | 2025-04-09 | Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Ad… |
CVE-2022-24280 | Medium | 6.5 | 2022-09-23 | Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsa… |
CVE-2021-41571 | Medium | 6.5 | 2022-02-01 | In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-messa… |
CVE-2024-29834 | Medium | 6.4 | 2024-04-02 | This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading t… |
CVE-2024-28098 | Medium | 6.4 | 2024-03-12 | The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading se… |
CVE-2022-33683 | Medium | 5.9 | 2022-09-23 | Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is di… |
CVE-2022-33682 | Medium | 5.9 | 2022-09-23 | TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client… |
CVE-2022-33681 | Medium | 5.9 | 2022-09-23 | Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from th… |
CVE-2023-31007 | Unrated | | 2023-07-12 | Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication dat… |