Plattform
apache
Komponente
apache-pulsar
Behoben in
2.10.6
2.11.4
3.0.3
3.1.3
3.2.1
CVE-2024-27317 describes a directory traversal vulnerability within the Apache Pulsar Functions Worker. Authenticated users can exploit this flaw by uploading malicious JAR or NAR files, effectively ZIP archives, which contain filenames with directory traversal sequences like "..". This allows attackers to potentially create or modify files outside the intended extraction directory, leading to system compromise. The vulnerability impacts Pulsar versions 2.4.0 through 3.2.1, and a fix is available in version 3.2.1.
An attacker exploiting this vulnerability could achieve arbitrary file system access within the Pulsar Functions Worker's environment. By crafting malicious JAR or NAR files containing directory traversal sequences (e.g., ".."), they can manipulate the extraction process to write files to unexpected locations. This could include overwriting critical configuration files, injecting malicious code, or even gaining remote code execution if the extracted files are subsequently executed. The blast radius extends to any system accessible by the Pulsar Functions Worker, potentially impacting data integrity and system availability. While requiring authentication, the ease of uploading functions makes this a significant risk.
This CVE was publicly disclosed on March 12, 2024. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not yet listed on the CISA KEV catalog. The EPSS score is likely to be medium, given the requirement for authentication and the lack of readily available exploits, but the potential impact warrants careful attention.
Organizations heavily reliant on Apache Pulsar for stream processing and real-time data applications are particularly at risk. This includes those deploying Pulsar in production environments with limited security controls or those using older, unpatched versions (2.4.0–3.2.1). Shared hosting environments where multiple users can upload functions also present a heightened risk.
• linux / server:
journalctl -u pulsar-broker -g 'file creation outside designated directory'• generic web:
curl -I http://<pulsar_broker_url>/functions/<malicious_function_name>.jar | grep 'Server: Apache Pulsar'disclosure
Exploit-Status
EPSS
1.03% (77% Perzentil)
CVSS-Vektor
The primary mitigation is to upgrade Apache Pulsar to version 3.2.1 or later, which includes the necessary path validation fixes. If immediate upgrading is not feasible, consider implementing stricter access controls on function uploads, limiting which users can upload functions and restricting the directories where functions can be stored. WAF rules can be configured to inspect uploaded JAR/NAR files for suspicious directory traversal patterns within their archive contents. Regularly scan Pulsar function repositories for potentially malicious files. After upgrading, verify the fix by attempting to upload a test JAR/NAR file containing a directory traversal sequence (e.g., "../../../../etc/passwd") and confirming that the extraction fails with an appropriate error.
Actualice Apache Pulsar a la versión 2.10.6 o superior si está utilizando la serie 2.10. Actualice a la versión 2.11.4 o superior si está utilizando la serie 2.11. Para las series 3.0, 3.1 y 3.2, actualice a las versiones 3.0.3, 3.1.3 y 3.2.1 respectivamente, o a una versión más reciente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-27317 is a HIGH severity vulnerability in Apache Pulsar versions 2.4.0–3.2.1 where malicious function uploads can exploit a directory traversal flaw, potentially allowing unauthorized file access and modification.
If you are running Apache Pulsar versions 2.4.0 through 3.2.1, you are potentially affected by this vulnerability. Immediate action is required.
The recommended fix is to upgrade Apache Pulsar to version 3.2.1 or later. Temporary workarounds include restricting file uploads and implementing strict filename validation.
While no active exploitation campaigns have been definitively confirmed, the vulnerability's nature and potential impact suggest that exploitation is likely. Monitor your systems closely.
Refer to the official Apache Pulsar security advisory for detailed information and updates: [https://pulsar.apache.org/security/CVE-2024-27317/](https://pulsar.apache.org/security/CVE-2024-27317/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.