Description

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  8.1 HIGH

Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f	Exploit  Issue Tracking  Patch  Third Party Advisory
https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv	Issue Tracking  Mailing List  Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-295	Improper Certificate Validation	NIST   Apache Software Foundation

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

CVE Modified by Apache Software Foundation 5/14/2024 6:50:00 AM

Action	Type	Old Value	New Value

Modified Analysis by NIST 1/26/2023 3:07:49 PM

Action	Type	Old Value	New Value
Added	CWE		NIST CWE-295
Changed	Reference Type	https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f No Types Assigned	https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f Exploit, Issue Tracking, Patch, Third Party Advisory

CVE Modified by Apache Software Foundation 1/17/2023 5:15:10 AM

Action	Type	Old Value	New Value
Added	Reference		https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f [No Types Assigned]

Initial Analysis by NIST 11/07/2022 11:20:29 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR *cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* versions up to (including) 2.6.4 *cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* versions from (including) 2.7.0 up to (excluding) 2.7.5 *cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* versions from (including) 2.8.0 up to (excluding) 2.8.4 *cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* versions from (including) 2.9.0 up to (excluding) 2.9.3 *cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* versions from (including) 2.10.0 up to (excluding) 2.10.2
Added	CVSS V3.1		NIST AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Changed	Reference Type	https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv No Types Assigned	https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv Issue Tracking, Mailing List, Vendor Advisory