Directory Traversal Vulnerability in Apache Pulsar Functions Worker Could Allow Attacker to Modify Files Outside of Designated Extraction Directory
CVE-2024-27317

9.9CRITICAL

Key Information:

Vendor: Apache
Status: Apache Pulsar
Vendor: CVE Published:; 12 March 2024

Summary

In the Apache Pulsar Functions Worker, authenticated users have the ability to upload functions using jar or nar files. These files are processed by the Functions Worker, which extracts their content. A vulnerability exists due to inadequate validation of filenames within the zip files, potentially allowing special path elements like '..' to be included. This oversight leads to a directory traversal vulnerability, where an attacker could craft a malicious upload that modifies or creates files in directories outside of the intended extraction path. Importantly, this vulnerability also impacts the Pulsar Broker when it is configured with the 'functionsWorkerEnabled=true' setting. Users operating on vulnerable versions are strongly advised to upgrade to the secure releases listed in the advisory to mitigate these risks.

Affected Version(s)

Apache Pulsar 2.4.0 < 2.10.6

Apache Pulsar 2.11.0 < 2.11.4

Apache Pulsar 3.0.0 < 3.0.3

References

https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qs...

mailing-list

https://pulsar.apache.org/security/CVE-2024-27317/

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/03/12/10

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Feb 23, 2024