Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.pulsar/pulsar-broker-common@2.9.5
Typemaven
Namespaceorg.apache.pulsar
Namepulsar-broker-common
Version2.9.5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.10.4
Latest_non_vulnerable_version2.11.1
Affected_by_vulnerabilities
0
url VCID-bsyh-2rap-33h2
vulnerability_id VCID-bsyh-2rap-33h2
summary 
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.

This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.

When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.

The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.

2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-30429
reference_id
reference_type
scores
0
value 0.00078
scoring_system epss
scoring_elements 0.23427
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-30429
1
reference_url https://github.com/apache/pulsar
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/pulsar
2
reference_url https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T20:40:14Z/
url https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-30429
reference_id CVE-2023-30429
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-30429
4
reference_url https://github.com/advisories/GHSA-g9cv-v3v4-3h8r
reference_id GHSA-g9cv-v3v4-3h8r
reference_type
scores
url https://github.com/advisories/GHSA-g9cv-v3v4-3h8r
fixed_packages
0
url pkg:maven/org.apache.pulsar/pulsar-broker-common@2.10.4
purl pkg:maven/org.apache.pulsar/pulsar-broker-common@2.10.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker-common@2.10.4
1
url pkg:maven/org.apache.pulsar/pulsar-broker-common@2.11.1
purl pkg:maven/org.apache.pulsar/pulsar-broker-common@2.11.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker-common@2.11.1
aliases CVE-2023-30429, GHSA-g9cv-v3v4-3h8r
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bsyh-2rap-33h2
1
url VCID-dnz1-ydf1-z3gj
vulnerability_id VCID-dnz1-ydf1-z3gj
summary 
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.

This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.

Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.

The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.

2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-37579
reference_id
reference_type
scores
0
value 0.00103
scoring_system epss
scoring_elements 0.27844
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-37579
1
reference_url https://github.com/apache/pulsar
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/pulsar
2
reference_url https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T13:34:09Z/
url https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37579
reference_id CVE-2023-37579
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-37579
4
reference_url https://github.com/advisories/GHSA-74mc-g2xv-pch2
reference_id GHSA-74mc-g2xv-pch2
reference_type
scores
url https://github.com/advisories/GHSA-74mc-g2xv-pch2
fixed_packages
0
url pkg:maven/org.apache.pulsar/pulsar-broker-common@2.10.4
purl pkg:maven/org.apache.pulsar/pulsar-broker-common@2.10.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker-common@2.10.4
1
url pkg:maven/org.apache.pulsar/pulsar-broker-common@2.11.1
purl pkg:maven/org.apache.pulsar/pulsar-broker-common@2.11.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker-common@2.11.1
aliases CVE-2023-37579, GHSA-74mc-g2xv-pch2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dnz1-ydf1-z3gj
Fixing_vulnerabilities
0
url VCID-8rzm-uepy-57fa
vulnerability_id VCID-8rzm-uepy-57fa
summary 
Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.

This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.

2.9 Pulsar Broker users should upgrade to at least 2.9.5.
2.10 Pulsar Broker users should upgrade to at least 2.10.4.
2.11 Pulsar Broker users should upgrade to at least 2.11.1.
3.0 Pulsar Broker users are unaffected.
Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-31007
reference_id
reference_type
scores
0
value 0.00073
scoring_system epss
scoring_elements 0.22334
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-31007
1
reference_url https://github.com/apache/pulsar
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/pulsar
2
reference_url https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj
reference_id
reference_type
scores
0
value 0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:35:46Z/
url https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-31007
reference_id CVE-2023-31007
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-31007
fixed_packages
0
url pkg:maven/org.apache.pulsar/pulsar-broker-common@2.9.5
purl pkg:maven/org.apache.pulsar/pulsar-broker-common@2.9.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bsyh-2rap-33h2
1
vulnerability VCID-dnz1-ydf1-z3gj
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker-common@2.9.5
1
url pkg:maven/org.apache.pulsar/pulsar-broker-common@2.10.4
purl pkg:maven/org.apache.pulsar/pulsar-broker-common@2.10.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker-common@2.10.4
2
url pkg:maven/org.apache.pulsar/pulsar-broker-common@2.11.1
purl pkg:maven/org.apache.pulsar/pulsar-broker-common@2.11.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker-common@2.11.1
aliases CVE-2023-31007, GHSA-47r2-phr8-m8cp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8rzm-uepy-57fa
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker-common@2.9.5