This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pulsar-site.git
The following commit(s) were added to refs/heads/main by this push:
new 61cd6f36a3a5 Publish CVE-2024-29834
61cd6f36a3a5 is described below
commit 61cd6f36a3a5360136c665b6fb814f024c03f529
Author: Lari Hotari <[email protected]>
AuthorDate: Tue Apr 2 10:35:47 2024 +0300
Publish CVE-2024-29834
---
security/CVE-2024-29834.md | 27 +++++++++++++++++++++++++++
security/index.md | 1 +
2 files changed, 28 insertions(+)
diff --git a/security/CVE-2024-29834.md b/security/CVE-2024-29834.md
new file mode 100644
index 000000000000..186e72f2c778
--- /dev/null
+++ b/security/CVE-2024-29834.md
@@ -0,0 +1,27 @@
+# CVE-2024-29834: Apache Pulsar: Improper Authorization For Namespace and
Topic Management Endpoints
+
+## Affected versions:
+
+- Apache Pulsar 2.7.1 through 2.10.6
+- Apache Pulsar 2.11.0 through 2.11.4
+- Apache Pulsar 3.0.0 before 3.0.4
+- Apache Pulsar 3.1.0 through 3.1.3
+- Apache Pulsar 3.2.0 before 3.2.2
+
+## Description:
+
+This vulnerability allows authenticated users with produce or consume
permissions to perform unauthorized operations on partitioned topics, such as
unloading topics and triggering compaction. These management operations should
be restricted to users with the tenant admin role or superuser role. An
authenticated user with produce permission can create subscriptions and update
subscription properties on partitioned topics, even though this should be
limited to users with consume permission [...]
+
+This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to
2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1.
+
+3.0 Apache Pulsar users should upgrade to at least 3.0.4.<br/>
+3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.<br/>
+
+Users operating versions prior to those listed above should upgrade to the
aforementioned patched versions or newer versions.
+
+References:
+
+- https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5
+- https://www.cve.org/CVERecord?id=CVE-2024-29834
+
+[Security Advisories](index.md)
\ No newline at end of file
diff --git a/security/index.md b/security/index.md
index b4def4388f79..6f844a764bbb 100644
--- a/security/index.md
+++ b/security/index.md
@@ -4,6 +4,7 @@
### 2024
+* 2024-04-02 [CVE-2024-29834](CVE-2024-29834.md) Improper Authorization For
Namespace and Topic Management Endpoints
* 2024-03-12 [CVE-2022-34321](CVE-2022-34321.md) Improper Authentication for
Pulsar Proxy Statistics Endpoint
* 2024-03-12 [CVE-2024-27135](CVE-2024-27135.md) Improper Input Validation in
Pulsar Function Worker allows Remote Code Execution
* 2024-03-12 [CVE-2024-27317](CVE-2024-27317.md) Pulsar Functions Worker's
Archive Extraction Vulnerability Allows Unauthorized File Modification
