SCA: security update for org.apache.pulsar:pulsar (GHSA-g9cv-v3v4-3h8r)

high Tenable Cloud Security Plugin ID 415026

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects
Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the
Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function
Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for
authorization instead of the client's role, which can lead to privilege escalation, especially if the
proxy is configured with a superuser role. The recommended mitigation for impacted users is to upgrade the
Pulsar Function Worker to a patched version. 2.10 Pulsar Function Worker users should upgrade to at least
2.10.4. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.1. 3.0 Pulsar Function Worker
users are unaffected. Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to
one of the above patched versions. (CVE-2023-30429)

See Also

https://github.com/advisories/GHSA-g9cv-v3v4-3h8r

Plugin Details

Severity: High

ID: 415026

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-30429

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/12/2023

Vulnerability Publication Date: 7/12/2023

Reference Information

CVE: CVE-2023-30429

cwe: CWE-863