7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-51437

GHSA ID

GHSA-c57v-4vg5-cm2x

EPSS Score

0.32548%

CWE

CWE-203

Published

2/7/2024

Updated

7/22/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-51437

CVE-2023-51437: Apache Pulsar SASL Authentication Provider observable timing discrepancy vulnerability

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the saslJaasServerRoleTokenSignerSecretPath file.

Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.

2.11 Pulsar users should upgrade to at least 2.11.3. 3.0 Pulsar users should upgrade to at least 3.0.2. 3.1 Pulsar users should upgrade to at least 3.1.1. Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.

For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-51437

GHSA ID

GHSA-c57v-4vg5-cm2x

EPSS Score

0.32548%

CWE

CWE-203

Published

2/7/2024

Updated

7/22/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.pulsar:pulsar-broker-auth-sasl	maven	< 2.11.3	2.11.3
org.apache.pulsar:pulsar-broker-auth-sasl	maven	>= 3.0.0, < 3.0.2	3.0.2
org.apache.pulsar:pulsar-broker-auth-sasl	maven	>= 3.1.0, < 3.1.1	3.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the use of String.equals() to compare cryptographic signatures in the verifyAndExtract method. The commit diff explicitly shows the replacement of String.equals() with MessageDigest.isEqual(), which is timing-attack resistant. This matches the CWE-203 (Observable Discrepancy) description and the referenced timing attack article. The function's role in signature verification directly impacts authentication security, making it the clear vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

O*s*rv**l* timin* *is*r*p*n*y vuln*r**ility in *p**** Puls*r S*SL *ut**nti**tion Provi**r **n *llow *n *tt**k*r to *or** * S*SL Rol* Tok*n t**t will p*ss si*n*tur* v*ri*i**tion. Us*rs *r* r**omm*n*** to up*r*** to v*rsion *.**.*, *.*.*, or *.*.* w*i*

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `Strin*.*qu*ls()` to *omp*r* *rypto*r*p*i* si*n*tur*s in t** `v*ri*y*n**xtr**t` m*t*o*. T** *ommit *i** *xpli*itly s*ows t** r*pl***m*nt o* `Strin*.*qu*ls()` wit* `M*ss****i**st.is*qu*l()`, w*i** is timin*-*tt*

7.4

Basic Information

Concerned about an active attack path?

CVE-2023-51437: Apache Pulsar SASL Authentication Provider observable timing discrepancy vulnerability

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI