CVE-2021-41571: [Pulsar admin] admin command 'get-message-by-id' can get message by messageId regardless of topic name · Issue #11814 · apache/pulsar

which version do you use？

Copy link

Contributor Author

which version do you use？

2.8.0

now ,It seems topic only for validate the ledgerId has the topic and some auth etc.

when validate success, invoke the ledger to fetch message, there is no check after find the message with id.

if topic1 and topic2 was putted into same leager , this will be not right.

maybe what we need is to clear the description.

because in get-message-by-id , you know ledgerId and entryId, what topic belongs of the message is very clear.

topic is useless in this command, Maybe we should remove it.

topic is useless in this command, Maybe we should remove it.

but now It has some prechecks, but when checking done,when query message, topic name has no meaning… I think it is confused sometimes.

Copy link

Contributor Author

topic is useless in this command, Maybe we should remove it.

Topic is useful for lookup, and can redirect to the owner broker for finding the managedLedger. But even if we get the wrong managedLedger, we can use the managedLedger to get the message. Maybe we can add createIfMissing in the method 'getLedgerHandle’.

Copy link

Contributor Author

if topic1 and topic2 was putted into same leager , this will be not right.

Does messages from different topics can put into same ledger?

Does messages from different topics can put into same ledger?

No。

sijie pushed a commit that referenced this issue

Sep 2, 2021

Fix #11814 , if we use another topic to find the message, it will return the message, but we may contaminate the ledgers cache in the topic.

**changes** Add check in the method ‘internalGetMessageById’ in PersistentTopicsBase, if the ledgerId not belong to this topic, throw a exception.

eolivelli pushed a commit to eolivelli/pulsar that referenced this issue

Sep 2, 2021

Fix apache#11814 , if we use another topic to find the message, it will return the message, but we may contaminate the ledgers cache in the topic.

**changes** Add check in the method ‘internalGetMessageById’ in PersistentTopicsBase, if the ledgerId not belong to this topic, throw a exception.

(cherry picked from commit 9bfb3db)

eolivelli pushed a commit to datastax/pulsar that referenced this issue

Sep 2, 2021

Fix apache#11814 , if we use another topic to find the message, it will return the message, but we may contaminate the ledgers cache in the topic.

**changes** Add check in the method ‘internalGetMessageById’ in PersistentTopicsBase, if the ledgerId not belong to this topic, throw a exception.

(cherry picked from commit 9bfb3db)

hangc0276 pushed a commit that referenced this issue

Sep 3, 2021

Fix #11814 , if we use another topic to find the message, it will return the message, but we may contaminate the ledgers cache in the topic.

**changes** Add check in the method ‘internalGetMessageById’ in PersistentTopicsBase, if the ledgerId not belong to this topic, throw a exception.

(cherry picked from commit 9bfb3db)

This was referenced

Sep 3, 2021

Copy link

Contributor Author

@zhanghaou
thank you for sharing this finding.

this bug looks like a security issue.
please take into consideration to file a “Security report” for the next time.
This issue is disclosing a potential security risk to a wide audience.

the correct process is to send an email to [email protected] or to [email protected]

we will follow up with a release soon

OK.

bharanic-dev pushed a commit to bharanic-dev/pulsar that referenced this issue

Mar 18, 2022

Fix apache#11814 , if we use another topic to find the message, it will return the message, but we may contaminate the ledgers cache in the topic.

**changes** Add check in the method ‘internalGetMessageById’ in PersistentTopicsBase, if the ledgerId not belong to this topic, throw a exception.