Every CVE whose affected-product data names Apache Pulsar, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (20)
CVE-2021-22160 — CVSS 9.8 (critical): If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not…
CVE-2023-30429 — CVSS 9.6 (critical): Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and…
CVE-2024-27894 — CVSS 8.5 (high): The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation…
CVE-2024-27135 — CVSS 8.5 (high): Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar…
CVE-2024-27317 — CVSS 8.4 (high): In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted…
CVE-2022-34321 — CVSS 8.2 (high): Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without…
CVE-2023-30428 — CVSS 8.2 (high): Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a…
CVE-2023-37579 — CVSS 8.2 (high): Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before…
CVE-2022-33684 — CVSS 8.1 (high): The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even…
CVE-2023-37544 — CVSS 7.5 (high): Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without…
CVE-2023-51437 — CVSS 7.4 (high): Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token…
CVE-2025-30677 — CVSS 6.5 (medium): Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector…
CVE-2021-41571 — CVSS 6.5 (medium): In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The…
CVE-2022-24280 — CVSS 6.5 (medium): Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that…
CVE-2024-28098 — CVSS 6.4 (medium): The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention…
CVE-2024-29834 — CVSS 6.4 (medium): This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics…
CVE-2022-33683 — CVSS 5.9 (medium): Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when…
CVE-2022-33682 — CVSS 5.9 (medium): TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket…
CVE-2022-33681 — CVSS 5.9 (medium): Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack…
CVE-2023-31007 — CVSS 0.0 (none): Improper Authentication vulnerability in Apache Software Foundation Apache Pulsar Broker allows a client to stay connected to a broker…