Headline
CVE-2021-41571: [Pulsar admin] admin command 'get-message-by-id' can get message by messageId regardless of topic name · Issue #11814 · apache/pulsar
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it for the topic. Authorisation controls are performed against the topic name and there is not proper validation the that ledger id is valid in the context of such ledger. So it may happen that the user is able to read from a ledger that contains data owned by another tenant. This issue affects Apache Pulsar Apache Pulsar version 2.8.0 and prior versions; Apache Pulsar version 2.7.3 and prior versions; Apache Pulsar version 2.6.4 and prior versions.
Comments
sijie pushed a commit that referenced this issue
Sep 2, 2021
Fix #11814 , if we use another topic to find the message, it will return the message, but we may contaminate the ledgers cache in the topic.
**changes** Add check in the method ‘internalGetMessageById’ in PersistentTopicsBase, if the ledgerId not belong to this topic, throw a exception.
eolivelli added a commit to eolivelli/pulsar that referenced this issue
Sep 2, 2021
Fix apache#11814 , if we use another topic to find the message, it will return the message, but we may contaminate the ledgers cache in the topic.
**changes** Add check in the method ‘internalGetMessageById’ in PersistentTopicsBase, if the ledgerId not belong to this topic, throw a exception.
(cherry picked from commit 9bfb3db)
eolivelli added a commit to datastax/pulsar that referenced this issue
Sep 2, 2021
Fix apache#11814 , if we use another topic to find the message, it will return the message, but we may contaminate the ledgers cache in the topic.
**changes** Add check in the method ‘internalGetMessageById’ in PersistentTopicsBase, if the ledgerId not belong to this topic, throw a exception.
(cherry picked from commit 9bfb3db)
hangc0276 added a commit that referenced this issue
Sep 3, 2021
Fix #11814 , if we use another topic to find the message, it will return the message, but we may contaminate the ledgers cache in the topic.
**changes** Add check in the method ‘internalGetMessageById’ in PersistentTopicsBase, if the ledgerId not belong to this topic, throw a exception.
(cherry picked from commit 9bfb3db)