Cybersecurity specialists reported the finding of six security flaws in Apache Pulsar, the cloud-native messaging and streaming platform initially developed by Yahoo! and currently maintained by the Apache Software Foundation. According to the report, successful exploitation of these flaws would allow remote code execution, leaking of sensitive information, and other risk scenarios.

Down below are brief descriptions of the reported flaws, in addition to their respective CVE tracking keys and their scores according to the Common Vulnerability Scoring System (CVSS)

CVE-2020-26238: Improper input validation in the affected tool would allow threat actors to submit a specially crafted request and execute arbitrary code on the target system.

The flaw received a CVSS score of 7.1/10 and its successful exploitation would allow the total compromise of the affected system.

CVE-2020-15250: The application uses the TemporaryFolder test rule that stores sensitive information in temporary files in the system temporary directory, accessible to other users of the system. A local user could read temporary files and obtain sensitive information.

This flaw received a score of 2.9/10.

CVE-2020-8908: The presence of incorrect default permissions for files located in the temporary directory set by Guava com.google.common.io.Files.createTempDir() would allow local users with access to the target system to view or modify the contents of files and directories.

The flaw received a score of 3.9/10 and its successful exploitation would allow attackers to escalate privileges on the affected system.

CVE-2018-10237: Unlimited memory allocation would allow remote hackers to cause the service to crash and deserialize the provided data, because the AtomicDoubleArray class and the CompoundOrdering class perform an allocation without proper checks on what a client has sent.

The flaw received a CVSS score of 4.6/10 and its successful exploitation would allow for a denial of service (DoS) attack.

CVE-2021-21409: Improper validation of HTTP requests in io.netty: netty-codec-http2 in Netty would allow remote attackers to send a specially crafted HTTP request to the server and perform an arbitrary HTTP header smuggling attack.

This flaw received a CVSS score of 6.1/10.

CVE-2018-12541: A limit flaw in the implementation of the WebSocket HTTP update would allow remotely authenticated attackers to cause memory corruption, leading to a DoS condition on the target system. The vulnerability received a CVSS score of 5.7/10.

CVE-2021-28169: A double decoding issue when parsing URIs with certain characters would allow remote attackers to send requests to ConcatServlet and WelcomeFilter, accessing the contents of protected resources within the WEB-INF directory.

The flaw received a score of 4.6/10 and its exploitation would allow remote attackers to access sensitive information.

All flaws reside in the following versions of Apache Pulsar: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, and 2.7.2.

While some of these flaws can be exploited remotely by unauthenticated threat actors, cybersecurity experts have not detected active exploit attempts or the existence of a malware variant associated with the attack. Security patches are now available, so users of affected deployments are encouraged to update as soon as possible. 

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.