Vulnerability Details : CVE-2021-41571
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.
Products affected by CVE-2021-41571
- cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pulsar:2.8.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41571
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41571
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2021-41571
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by:
- nvd@nist.gov (Secondary)
- security@apache.org (Primary)
References for CVE-2021-41571
-
https://github.com/apache/pulsar/issues/11814
[Pulsar admin] admin command 'get-message-by-id' can get message by messageId regardless of topic name · Issue #11814 · apache/pulsar · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
-
https://lists.apache.org/thread/8n3k7pvyh4cf9q2jfzb6pb32ync6xlvr
CVE-2021-41571: Apache Pulsar: Pulsar Admin API allows access to data from other tenants using getMessageById API-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://pulsar.apache.org/admin-rest-api/#operation/getLastMessageId
Patch;Vendor Advisory
Jump to