GitHub user lhotari deleted a comment on the discussion: The jetty version in pulsar has security risks.
@opencmit2 There isn't a fix available for CVE-2024-6763 at the moment. The severity of CVE-2024-6763 is moderate (6.3/10). However, the impact for Pulsar is low. You shouldn't expose Pulsar directly to untrusted clients in the first place. There are security details [[in the Apache Pulsar Helm chart README](https://github.com/apache/pulsar-helm-chart?tab=readme-ov-file#important-security-advisory-for-helm-chart-usage)](https://github.com/apache/pulsar-helm-chart?tab=readme-ov-file#important-security-advisory-for-helm-chart-usage). With a proper setup, it's possible to mitigate this issue, although Jetty still contains this particular vulnerability. The Apache Pulsar project doesn't support exposing Apache Pulsar over untrusted networks at all. The project currently lacks instructions for a secure setup, which is obviously a gap that would require volunteer contributors to address. There is a plan to resolve this issue by upgrading to Jetty 12 in Pulsar. You can find details about the progress in the comments of issue #22939. GitHub link: https://github.com/apache/pulsar/discussions/24113#discussioncomment-12599323 ---- This is an automatically sent email for commits@pulsar.apache.org. To unsubscribe, please send an email to: commits-unsubscr...@pulsar.apache.org
