Directory Traversal Vulnerability in Apache Pulsar Functions Worker Could Allow Attacker to Modify Files Outside of Designated Extraction Directory
CVE-2024-27317

8.4HIGH

Key Information:

Vendor: Apache
Status: Apache Pulsar
Vendor: CVE Published:; 12 March 2024

What is CVE-2024-27317?

In the Apache Pulsar Functions Worker, authenticated users have the ability to upload functions using jar or nar files. These files are processed by the Functions Worker, which extracts their content. A vulnerability exists due to inadequate validation of filenames within the zip files, potentially allowing special path elements like '..' to be included. This oversight leads to a directory traversal vulnerability, where an attacker could craft a malicious upload that modifies or creates files in directories outside of the intended extraction path. Importantly, this vulnerability also impacts the Pulsar Broker when it is configured with the 'functionsWorkerEnabled=true' setting. Users operating on vulnerable versions are strongly advised to upgrade to the secure releases listed in the advisory to mitigate these risks.

Affected Version(s)

Apache Pulsar 2.4.0 < 2.10.6

Apache Pulsar 2.11.0 < 2.11.4

Apache Pulsar 3.0.0 < 3.0.3

References

https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qs...

mailing-list

https://pulsar.apache.org/security/CVE-2024-27317/

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/03/12/10

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Feb 23, 2024