CVE Daily
← All tags

Tag: Apache Pulsar

All CVEs associated with "Apache Pulsar". Page 1/1 • 20 CVEs.

About “Apache Pulsar”

A curated feed of “Apache Pulsar”-related CVEs appears below. We currently track 20 CVEs for this tag (all time). In the last 365 days, 0 were published. Average CVSS is 7.1 (all time), and 55% are rated High/Critical (all time). Top CWEs (all time): CWE-863 - Incorrect Authorization, CWE-295 - Improper Certificate Validation, CWE-20 - Improper Input Validation.

In our taxonomy this topic maps to a LOW impact class. Message brokers and streaming platforms require strict ACLs and TLS. Patch brokers and clients, isolate management ports, limit anonymous access, and set resource limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: apache-pulsar

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestExtended SupportEOLLTS
4.24.2.1 Soon
4.14.1.3 Expired
4.04.0.10 SoonLTS
3.33.3.9 Expired
3.23.2.4 Expired
3.13.1.3 Expired
3.03.0.17 ExpiredLTS
2.112.11.4 Expired
2.102.10.6 Expired
2.92.9.5 Expired
2.82.8.4 Expired
2.72.7.5 Expired
2.62.6.4 Expired
2.52.5.2 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Apache Pulsar”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-04-09
Medium

CVE-2025-30677

Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive confi…

CVSS: 6.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2024-04-02
Medium

CVE-2024-29834

This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These m…

CVSS: 6.4 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-03-12
Medium

CVE-2024-28098

The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations shou…

CVSS: 6.4 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2024-27894

The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "f…

CVSS: 8.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2024-27317

In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is up…

CVSS: 8.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2024-27135

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for run…

CVSS: 8.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2022-34321

Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics abo…

CVSS: 8.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2024-02-07
High

CVE-2023-51437

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended…

CVSS: 7.4 CWE: CWE-203 - Observable Discrepancy View on NVD
2023-12-20
High

CVE-2023-37544

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Prox…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2023-07-12
High

CVE-2023-37579

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a…

CVSS: 8.2 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2023-31007

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected throug…

CVSS: 0.0 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2023-30429

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker…

CVSS: 9.6 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2023-30428

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using th…

CVSS: 8.2 CWE: CWE-863 - Incorrect Authorization View on NVD
2022-11-04
High

CVE-2022-33684

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration.…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-09-23
Medium

CVE-2022-33683

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Adm…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2022-33682

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client le…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2022-33681

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broke…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2022-24280

Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pu…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2022-02-01
Medium

CVE-2021-41571

In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a to…

CVSS: 6.5 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-05-26
Critical

CVE-2021-22160

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none…

CVSS: 9.8 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox