critical
10
CWE
22
EPSS
0.044%
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2024-27317: Apache Pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification

First published: Tue Mar 12 2024(Updated: )

In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like "..", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

Credit: security@apache.org security@apache.org

Affected SoftwareAffected VersionHow to fix
maven/org.apache.pulsar:pulsar-functions-worker>=3.2.0<3.2.1
3.2.1
maven/org.apache.pulsar:pulsar-functions-worker>=3.1.0<3.1.3
3.1.3
maven/org.apache.pulsar:pulsar-functions-worker>=3.0.0<3.0.3
3.0.3
maven/org.apache.pulsar:pulsar-functions-worker>=2.11.0<2.11.4
2.11.4
maven/org.apache.pulsar:pulsar-functions-worker>=2.4.0<2.10.6
2.10.6
Apache Pulsar>=2.4.0<2.10.6
Apache Pulsar>=2.11.0<2.11.4
Apache Pulsar>=3.0.0<3.0.3
Apache Pulsar=3.2.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-27317?

    The severity of CVE-2024-27317 is classified as high due to the potential for remote code execution through directory traversal vulnerabilities.

  • How do I fix CVE-2024-27317?

    To fix CVE-2024-27317, it is recommended to upgrade the Pulsar Functions Worker to version 3.2.1 or higher.

  • Which versions are affected by CVE-2024-27317?

    CVE-2024-27317 affects Apache Pulsar Functions Worker versions 2.10.6 up to 3.2.0.

  • What systems are impacted by CVE-2024-27317?

    CVE-2024-27317 impacts systems running Apache Pulsar that allow authenticated users to upload functions.

  • Is authentication sufficient protection against CVE-2024-27317?

    No, authentication alone is not sufficient protection against CVE-2024-27317 as it does not prevent the exploitation of the directory traversal vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203