Skip to main content

Security

Security Policy​

The Pulsar community follows the ASF security vulnerability handling process.

To report a new vulnerability you have discovered, please follow the ASF security vulnerability reporting process. To report a vulnerability for Pulsar, contact the Apache Security Team. When reporting a vulnerability to security@apache.org, you can copy your email to private@pulsar.apache.org to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list.

It is the responsibility of the security vulnerability handling project team (Apache Pulsar PMC in most cases) to make public security vulnerability announcements. You can follow announcements on the users@pulsar.apache.org mailing list. For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.

Security advisories​

Please subscribe to the users@pulsar.apache.org mailing list to receive Apache Pulsar security advisories when they are published. For instructions on how to subscribe, please see https://pulsar.apache.org/contact/.

2024​

2023​

  • 2023-12-20 CVE-2023-37544 Improper Authentication for WebSocket Proxy Endpoint Allows DoS
  • 2023-07-13 CVE-2023-31007 Broker does not always disconnect client when authentication data expires
  • 2023-07-12 CVE-2023-30428 Incorrect Authorization Validation for Rest Producer
  • 2023-07-12 CVE-2023-30429 Incorrect Authorization for Function Worker when using mTLS Authentication through Pulsar Proxy
  • 2023-07-12 CVE-2023-37579 Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials

2022​

  • 2022-01-31 CVE-2021-41571 Pulsar Admin API allows access to data from other tenants using getMessageById API
  • 2022-09-22 CVE-2022-24280 Apache Pulsar Proxy target broker address isn't validated
  • 2022-09-22 CVE-2022-33681 Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM
  • 2022-09-22 CVE-2022-33682 Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack
  • 2022-09-22 CVE-2022-33683 Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack
  • 2022-11-03 CVE-2022-33684 Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation

2021​

  • 2021-05-25 CVE-2021-22160 Authentication with JWT allows use of "none"-algorithm