CVE-2024-28098 in Pulsar
Summary
by MITRE • 03/12/2024
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.
This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/19/2025
This vulnerability represents a critical authorization bypass flaw in Apache Pulsar that undermines the system's access control mechanisms. The issue stems from insufficient privilege validation during topic-level policy management operations, allowing users with minimal permissions to manipulate core broker settings. Specifically authenticated users possessing only produce or consume permissions can modify topic-level configurations including retention policies, time-to-live settings, and offloading parameters that should be restricted to administrative roles. This represents a significant escalation of privileges that violates the principle of least privilege fundamental to secure system design.
The technical implementation flaw manifests in the authorization checking logic within Pulsar's topic management subsystem where the system fails to properly validate user roles before permitting policy modifications. This vulnerability affects multiple release branches spanning versions 2.7.1 through 2.10.5, 2.11.0 through 2.11.3, 3.0.0 through 3.0.2, 3.1.0 through 3.1.2, and 3.2.0, indicating a widespread issue across the product's lifecycle. The flaw exists in the broker's access control enforcement layer where topic-level administrative operations are not properly gated by role-based access controls, creating a path for unauthorized modifications to core messaging infrastructure settings.
From an operational impact perspective, this vulnerability exposes organizations to potential data loss, service disruption, and unauthorized data handling. Attackers could manipulate retention policies to prematurely delete important messages or set excessively long retention periods to consume storage resources. Time-to-live settings could be modified to create denial-of-service conditions or enable data exfiltration through extended message availability. Offloading configurations might be altered to compromise data integrity or availability. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under privilege escalation and persistence tactics, with the potential for attackers to establish long-term access through manipulated topic configurations.
The security implications extend beyond immediate policy manipulation to encompass broader system integrity concerns. Organizations using Apache Pulsar in production environments face significant risk as this flaw could enable attackers to compromise message delivery semantics, alter data flow patterns, or create backdoor access points through carefully crafted topic configurations. The vulnerability aligns with CWE-284 (Improper Access Control) and CWE-732 (Incorrect Permission Assignment for Critical Resource) classifications, highlighting the fundamental breakdown in authorization enforcement. System administrators must urgently implement the recommended version upgrades to remediate this issue, with specific patch versions provided for each affected release line to ensure complete mitigation of the authorization bypass vulnerability.