Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.pulsar/pulsar-broker@2.8.0

Type maven

Namespace org.apache.pulsar

Name pulsar-broker

Version 2.8.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.0.4

Latest_non_vulnerable_version 3.2.2

Affected_by_vulnerabilities

url VCID-1r2z-w7cc-myg3

vulnerability_id VCID-1r2z-w7cc-myg3

summary

Apache Pulsar Brokers and Proxies vulnerable to Improper Certificate Validation
Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-33683

reference_id

reference_type

scores

value	0.00223
scoring_system	epss
scoring_elements	0.45108
published_at	2026-06-06T12:55:00Z

value	0.00223
scoring_system	epss
scoring_elements	0.45036
published_at	2026-06-04T12:55:00Z

value	0.00223
scoring_system	epss
scoring_elements	0.45104
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-33683

reference_url

https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T15:49:58Z/

url

https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-33683

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-33683

reference_url

https://github.com/advisories/GHSA-j3qw-g67q-7m64

reference_id

GHSA-j3qw-g67q-7m64

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-j3qw-g67q-7m64

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

url pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

url pkg:maven/org.apache.pulsar/pulsar-broker@2.10.1

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.10.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

vulnerability	VCID-pypb-6zbf-6bfj

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.10.1

aliases CVE-2022-33683, GHSA-j3qw-g67q-7m64

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1r2z-w7cc-myg3

url VCID-2swa-djjs-jkhk

vulnerability_id VCID-2swa-djjs-jkhk

summary

Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation
TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. This issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-33682

reference_id

reference_type

scores

value	0.00284
scoring_system	epss
scoring_elements	0.52122
published_at	2026-06-06T12:55:00Z

value	0.00284
scoring_system	epss
scoring_elements	0.52052
published_at	2026-06-04T12:55:00Z

value	0.00284
scoring_system	epss
scoring_elements	0.52113
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-33682

reference_url

https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-27T14:45:45Z/

url

https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-33682

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-33682

reference_url

https://github.com/advisories/GHSA-jvf3-mfxv-jcqr

reference_id

GHSA-jvf3-mfxv-jcqr

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jvf3-mfxv-jcqr

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

url pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

url pkg:maven/org.apache.pulsar/pulsar-broker@2.10.1

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.10.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

vulnerability	VCID-pypb-6zbf-6bfj

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.10.1

aliases CVE-2022-33682, GHSA-jvf3-mfxv-jcqr

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2swa-djjs-jkhk

url VCID-31bf-e53a-2ya1

vulnerability_id VCID-31bf-e53a-2ya1

summary

Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace.

This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1.

3.0 Apache Pulsar users should upgrade to at least 3.0.4.
3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2.

Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29834.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29834.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-29834

reference_id

reference_type

scores

value	0.00222
scoring_system	epss
scoring_elements	0.44956
published_at	2026-06-06T12:55:00Z

value	0.00222
scoring_system	epss
scoring_elements	0.4495
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-29834

reference_url

https://github.com/apache/pulsar

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar

reference_url

https://github.com/apache/pulsar/commit/6ffe667cddad3e959e02ce31fd09b2f9a439d50a

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/commit/6ffe667cddad3e959e02ce31fd09b2f9a439d50a

reference_url

https://github.com/apache/pulsar/commit/b51b74883fb66673161d0b73c6a7257d073c57a5

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/commit/b51b74883fb66673161d0b73c6a7257d073c57a5

reference_url

https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:59:54Z/

url

https://lists.apache.org/thread/v0ltl94k9lg28qfr1f54hpkvvsjc5bj5

reference_url

http://www.openwall.com/lists/oss-security/2024/04/02/2

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:59:54Z/

url

http://www.openwall.com/lists/oss-security/2024/04/02/2

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2272689
reference_id	2272689
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2272689

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-29834

reference_id

CVE-2024-29834

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-29834

reference_url

https://pulsar.apache.org/security/CVE-2024-29834

reference_id

CVE-2024-29834

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://pulsar.apache.org/security/CVE-2024-29834

reference_url

https://pulsar.apache.org/security/CVE-2024-29834/

reference_id

CVE-2024-29834

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T13:59:54Z/

url

https://pulsar.apache.org/security/CVE-2024-29834/

reference_url

https://github.com/advisories/GHSA-7mg2-6c6v-342r

reference_id

GHSA-7mg2-6c6v-342r

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7mg2-6c6v-342r

fixed_packages

url	pkg:maven/org.apache.pulsar/pulsar-broker@3.0.4
purl	pkg:maven/org.apache.pulsar/pulsar-broker@3.0.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@3.0.4

url	pkg:maven/org.apache.pulsar/pulsar-broker@3.2.2
purl	pkg:maven/org.apache.pulsar/pulsar-broker@3.2.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@3.2.2

aliases CVE-2024-29834, GHSA-7mg2-6c6v-342r

risk_score 3.6

exploitability 0.5

weighted_severity 7.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-31bf-e53a-2ya1

url VCID-8rzm-uepy-57fa

vulnerability_id VCID-8rzm-uepy-57fa

summary

Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.

This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.

2.9 Pulsar Broker users should upgrade to at least 2.9.5.
2.10 Pulsar Broker users should upgrade to at least 2.10.4.
2.11 Pulsar Broker users should upgrade to at least 2.11.1.
3.0 Pulsar Broker users are unaffected.
Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-31007

reference_id

reference_type

scores

value	0.00073
scoring_system	epss
scoring_elements	0.2232
published_at	2026-06-06T12:55:00Z

value	0.00073
scoring_system	epss
scoring_elements	0.22334
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-31007

reference_url

https://github.com/apache/pulsar

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar

reference_url

https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj

reference_id

reference_type

scores

value	0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:35:46Z/

url

https://lists.apache.org/thread/qxn99xxyp0zv6jchjggn3soyo5gvqfxj

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-31007

reference_id

CVE-2023-31007

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-31007

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.9.5

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.9.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.9.5

url pkg:maven/org.apache.pulsar/pulsar-broker@2.10.4

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.10.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.10.4

url pkg:maven/org.apache.pulsar/pulsar-broker@2.11.1

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.11.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.11.1

aliases CVE-2023-31007, GHSA-47r2-phr8-m8cp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8rzm-uepy-57fa

url VCID-bsyh-2rap-33h2

vulnerability_id VCID-bsyh-2rap-33h2

summary

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.

This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.

When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.

The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.

2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-30429

reference_id

reference_type

scores

value	0.00078
scoring_system	epss
scoring_elements	0.23415
published_at	2026-06-06T12:55:00Z

value	0.00078
scoring_system	epss
scoring_elements	0.23427
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-30429

reference_url

https://github.com/apache/pulsar

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar

reference_url

https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-03T20:40:14Z/

url

https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-30429

reference_id

CVE-2023-30429

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-30429

reference_url	https://github.com/advisories/GHSA-g9cv-v3v4-3h8r
reference_id	GHSA-g9cv-v3v4-3h8r
reference_type
scores
url	https://github.com/advisories/GHSA-g9cv-v3v4-3h8r

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.10.4

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.10.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.10.4

url pkg:maven/org.apache.pulsar/pulsar-broker@2.11.1

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.11.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.11.1

aliases CVE-2023-30429, GHSA-g9cv-v3v4-3h8r

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bsyh-2rap-33h2

url VCID-c4mz-mrrx-63g2

vulnerability_id VCID-c4mz-mrrx-63g2

summary

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.

This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.

The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.

2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.
2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.
3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.
3.1 Pulsar WebSocket Proxy users are unaffected.
Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-37544

reference_id

reference_type

scores

value	0.00067
scoring_system	epss
scoring_elements	0.2093
published_at	2026-06-06T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20944
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-37544

reference_url

https://github.com/apache/pulsar

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar

reference_url

https://github.com/apache/pulsar/commit/11ee36d0351644a006d2a8639bdcc714fb602358

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/commit/11ee36d0351644a006d2a8639bdcc714fb602358

reference_url

https://github.com/apache/pulsar/commit/894192fb6542e504be43034a3c33e90f9c6e528a

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/commit/894192fb6542e504be43034a3c33e90f9c6e528a

reference_url

https://github.com/apache/pulsar/commit/eac263e8f2a93d3b9f707b97c7bbcbc2a826569f

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/commit/eac263e8f2a93d3b9f707b97c7bbcbc2a826569f

reference_url

https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m

reference_url

http://www.openwall.com/lists/oss-security/2023/12/20/2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2023/12/20/2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-37544

reference_id

CVE-2023-37544

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-37544

reference_url	https://github.com/advisories/GHSA-83q5-whqp-r8jr
reference_id	GHSA-83q5-whqp-r8jr
reference_type
scores
url	https://github.com/advisories/GHSA-83q5-whqp-r8jr

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.10.5

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.10.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-erw1-cs2v-kub8

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.10.5

url pkg:maven/org.apache.pulsar/pulsar-broker@2.11.2

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.11.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.11.2

url pkg:maven/org.apache.pulsar/pulsar-broker@3.0.1

purl pkg:maven/org.apache.pulsar/pulsar-broker@3.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@3.0.1

aliases CVE-2023-37544, GHSA-83q5-whqp-r8jr

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c4mz-mrrx-63g2

url VCID-dnz1-ydf1-z3gj

vulnerability_id VCID-dnz1-ydf1-z3gj

summary

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.

This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.

Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.

The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.

2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.
3.0 Pulsar Function Worker users are unaffected.
Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-37579

reference_id

reference_type

scores

value	0.00103
scoring_system	epss
scoring_elements	0.27844
published_at	2026-06-05T12:55:00Z

value	0.00103
scoring_system	epss
scoring_elements	0.27792
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-37579

reference_url

https://github.com/apache/pulsar

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar

reference_url

https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-08T13:34:09Z/

url

https://lists.apache.org/thread/0dmn3cb5n2p08o3cpj3ycfhzfqs2ppwz

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-37579

reference_id

CVE-2023-37579

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-37579

reference_url	https://github.com/advisories/GHSA-74mc-g2xv-pch2
reference_id	GHSA-74mc-g2xv-pch2
reference_type
scores
url	https://github.com/advisories/GHSA-74mc-g2xv-pch2

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.10.4

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.10.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.10.4

url pkg:maven/org.apache.pulsar/pulsar-broker@2.11.1

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.11.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.11.1

aliases CVE-2023-37579, GHSA-74mc-g2xv-pch2

risk_score 3.7

exploitability 0.5

weighted_severity 7.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dnz1-ydf1-z3gj

url VCID-ewj7-etuc-2fch

vulnerability_id VCID-ewj7-etuc-2fch

summary

Exposure of Sensitive Information to an Unauthorized Actor
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.
Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.

Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.

2.11 Pulsar users should upgrade to at least 2.11.3.
3.0 Pulsar users should upgrade to at least 3.0.2.
3.1 Pulsar users should upgrade to at least 3.1.1.
Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.

For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-51437

reference_id

reference_type

scores

value	0.00095
scoring_system	epss
scoring_elements	0.26483
published_at	2026-06-06T12:55:00Z

value	0.00095
scoring_system	epss
scoring_elements	0.26492
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-51437

reference_url

https://github.com/apache/pulsar

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar

reference_url

https://github.com/apache/pulsar/commit/6274fa01a75d74d559bb7e514c970f1fc07d15bc

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/commit/6274fa01a75d74d559bb7e514c970f1fc07d15bc

reference_url

https://github.com/apache/pulsar/commit/bc1019fa8ed37b8a4c8bb01e3662c6c015e1bc27

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/commit/bc1019fa8ed37b8a4c8bb01e3662c6c015e1bc27

reference_url

https://github.com/apache/pulsar/commit/c05954e66ff33098aeb848f4bde51613ace7e47e

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/commit/c05954e66ff33098aeb848f4bde51613ace7e47e

reference_url

https://github.com/apache/pulsar/commit/c27beca64cc93848c40a374f19eaf4d3cc4f4f03

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/commit/c27beca64cc93848c40a374f19eaf4d3cc4f4f03

reference_url

https://github.com/apache/pulsar/pull/21061

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/pull/21061

reference_url

https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-07T15:10:54Z/

url

https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5

reference_url

https://www.openwall.com/lists/oss-security/2024/02/07/1

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-07T15:10:54Z/

url

https://www.openwall.com/lists/oss-security/2024/02/07/1

reference_url

http://www.openwall.com/lists/oss-security/2024/02/07/1

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2024/02/07/1

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-51437

reference_id

CVE-2023-51437

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-51437

reference_url

https://github.com/advisories/GHSA-c57v-4vg5-cm2x

reference_id

GHSA-c57v-4vg5-cm2x

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c57v-4vg5-cm2x

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.10.6

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.10.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.10.6

url pkg:maven/org.apache.pulsar/pulsar-broker@2.11.3

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.11.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-erw1-cs2v-kub8

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.11.3

url pkg:maven/org.apache.pulsar/pulsar-broker@3.0.2

purl pkg:maven/org.apache.pulsar/pulsar-broker@3.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-erw1-cs2v-kub8

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@3.0.2

url pkg:maven/org.apache.pulsar/pulsar-broker@3.1.1

purl pkg:maven/org.apache.pulsar/pulsar-broker@3.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@3.1.1

aliases CVE-2023-51437, GHSA-c57v-4vg5-cm2x

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ewj7-etuc-2fch

url VCID-p4nm-mzhn-r7eu

vulnerability_id VCID-p4nm-mzhn-r7eu

summary Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33681.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33681.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-33681

reference_id

reference_type

scores

value	0.00177
scoring_system	epss
scoring_elements	0.39013
published_at	2026-06-06T12:55:00Z

value	0.00177
scoring_system	epss
scoring_elements	0.38921
published_at	2026-06-04T12:55:00Z

value	0.00177
scoring_system	epss
scoring_elements	0.39009
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-33681

reference_url

https://github.com/apache/pulsar/tree/db26073728bf86fc80deecaece2dc02b50bbb9b5/pulsar-client

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/tree/db26073728bf86fc80deecaece2dc02b50bbb9b5/pulsar-client

reference_url

https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T20:36:59Z/

url

https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-33681

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-33681

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2136207
reference_id	2136207
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2136207

reference_url

https://github.com/advisories/GHSA-c5fp-x2h5-vjv7

reference_id

GHSA-c5fp-x2h5-vjv7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c5fp-x2h5-vjv7

reference_url	https://access.redhat.com/errata/RHSA-2023:2100
reference_id	RHSA-2023:2100
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2100

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

url pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

url pkg:maven/org.apache.pulsar/pulsar-broker@2.10.1

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.10.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

vulnerability	VCID-pypb-6zbf-6bfj

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.10.1

aliases CVE-2022-33681, GHSA-c5fp-x2h5-vjv7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p4nm-mzhn-r7eu

url VCID-pypb-6zbf-6bfj

vulnerability_id VCID-pypb-6zbf-6bfj

summary

Apache Pulsar Disabled Certificate Validation for OAuth Client Credential Requests makes C++/Python Clients vulnerable to MITM attack
The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when `tlsAllowInsecureConnection` is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the `ClientCredentialFlow` "issuer url". The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine "between" the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way.

This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier.

Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including `client_id` and `client_secret`.
- 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials.
- 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials.
- 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials.
- 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released.
- Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-33684

reference_id

reference_type

scores

value	0.00113
scoring_system	epss
scoring_elements	0.29548
published_at	2026-06-05T12:55:00Z

value	0.00113
scoring_system	epss
scoring_elements	0.2951
published_at	2026-06-06T12:55:00Z

value	0.00113
scoring_system	epss
scoring_elements	0.2948
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-33684

reference_url

https://github.com/apache/pulsar-client-cpp

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar-client-cpp

reference_url

https://github.com/apache/pulsar/pull/16064

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/pull/16064

reference_url

https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-02T18:56:43Z/

url

https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f

reference_url

https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-02T18:56:43Z/

url

https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-33684

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-33684

reference_url

https://github.com/advisories/GHSA-5r3h-c3r7-9w4h

reference_id

GHSA-5r3h-c3r7-9w4h

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5r3h-c3r7-9w4h

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.8.4

url pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.9.3

url pkg:maven/org.apache.pulsar/pulsar-broker@2.10.2

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.10.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.10.2

aliases CVE-2022-33684, GHSA-5r3h-c3r7-9w4h

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pypb-6zbf-6bfj

url VCID-tgsv-dh9e-6fc3

vulnerability_id VCID-tgsv-dh9e-6fc3

summary

Incorrect Authorization
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41571.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41571.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-41571

reference_id

reference_type

scores

value	0.00979
scoring_system	epss
scoring_elements	0.77092
published_at	2026-06-04T12:55:00Z

value	0.00979
scoring_system	epss
scoring_elements	0.77133
published_at	2026-06-06T12:55:00Z

value	0.00979
scoring_system	epss
scoring_elements	0.77123
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-41571

reference_url

https://github.com/apache/pulsar

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar

reference_url

https://github.com/apache/pulsar/issues/11814

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/issues/11814

reference_url

https://github.com/apache/pulsar/pull/11852

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/pull/11852

reference_url

https://github.com/apache/pulsar/pull/11912

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/pull/11912

reference_url

https://github.com/apache/pulsar/pull/11913

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/pull/11913

reference_url

https://github.com/apache/pulsar/releases/tag/v2.7.4

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/releases/tag/v2.7.4

reference_url

https://github.com/apache/pulsar/releases/tag/v2.8.1

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/releases/tag/v2.8.1

reference_url

https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr

reference_url

https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2048682
reference_id	2048682
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2048682

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-41571

reference_id

CVE-2021-41571

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-41571

reference_url

https://github.com/advisories/GHSA-3whx-qrj5-hh2h

reference_id

GHSA-3whx-qrj5-hh2h

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3whx-qrj5-hh2h

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.8.1

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.8.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1r2z-w7cc-myg3

vulnerability	VCID-2swa-djjs-jkhk

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

vulnerability	VCID-p4nm-mzhn-r7eu

vulnerability	VCID-pypb-6zbf-6bfj

vulnerability	VCID-xdcg-jprt-4fbq

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.8.1

aliases CVE-2021-41571, GHSA-3whx-qrj5-hh2h

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tgsv-dh9e-6fc3

url VCID-xdcg-jprt-4fbq

vulnerability_id VCID-xdcg-jprt-4fbq

summary

Proxy component of Apache Pulsar subject to abuse as Denial of Service endpoint
Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-24280

reference_id

reference_type

scores

value	0.00224
scoring_system	epss
scoring_elements	0.45169
published_at	2026-06-04T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.4524
published_at	2026-06-06T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.45237
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-24280

reference_url

https://github.com/apache/pulsar

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar

reference_url

https://github.com/apache/pulsar/wiki/CVE-2022-24280

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/pulsar/wiki/CVE-2022-24280

reference_url

https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T20:39:12Z/

url

https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-24280

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-24280

reference_url

https://github.com/advisories/GHSA-3mg9-m3f6-v7fq

reference_id

GHSA-3mg9-m3f6-v7fq

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3mg9-m3f6-v7fq

fixed_packages

url pkg:maven/org.apache.pulsar/pulsar-broker@2.8.3

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.8.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1r2z-w7cc-myg3

vulnerability	VCID-2swa-djjs-jkhk

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

vulnerability	VCID-p4nm-mzhn-r7eu

vulnerability	VCID-pypb-6zbf-6bfj

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.8.3

url pkg:maven/org.apache.pulsar/pulsar-broker@2.9.2

purl pkg:maven/org.apache.pulsar/pulsar-broker@2.9.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1r2z-w7cc-myg3

vulnerability	VCID-2swa-djjs-jkhk

vulnerability	VCID-31bf-e53a-2ya1

vulnerability	VCID-8rzm-uepy-57fa

vulnerability	VCID-9byk-3h6x-8bcb

vulnerability	VCID-bsyh-2rap-33h2

vulnerability	VCID-c4mz-mrrx-63g2

vulnerability	VCID-dnz1-ydf1-z3gj

vulnerability	VCID-ewj7-etuc-2fch

vulnerability	VCID-p4nm-mzhn-r7eu

vulnerability	VCID-pypb-6zbf-6bfj

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.9.2

aliases CVE-2022-24280, GHSA-3mg9-m3f6-v7fq

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xdcg-jprt-4fbq

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pulsar/pulsar-broker@2.8.0

Package Instance