Pulsar Functions Worker Vulnerability: Unauthorized Access and Proxy Attacks
CVE-2024-27894

8.5HIGH

Key Information:

Vendor: Apache
Status: Apache Pulsar
Vendor: CVE Published:; 12 March 2024

Summary

The Apache Pulsar Functions Worker has a vulnerability that enables authenticated users to create functions that reference implementations hosted at a URL. This includes 'file', 'http', and 'https' schemes. When a function is created in this manner, the Functions Worker retrieves executable code from the provided URL. This feature can be exploited by attackers to gain unauthorized access to files permissible by the Pulsar Functions Worker process, potentially exposing sensitive information like secrets from the process environment. Additionally, attackers could exploit this vulnerability to use the Functions Worker as a proxy, accessing external HTTP and HTTPS endpoints or executing denial of service attacks. The Pulsar Broker is equally affected when configured with 'functionsWorkerEnabled=true'. Users are strongly advised to update to patched versions to mitigate this risk.

Affected Version(s)

Apache Pulsar 2.4.0 < 2.10.6

Apache Pulsar 2.11.0 < 2.11.4

Apache Pulsar 3.0.0 < 3.0.3

References

https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8...

mailing-list

https://pulsar.apache.org/security/CVE-2024-27894/

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/03/12/11

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Feb 26, 2024

Credit

Lari Hotari of StreamNative