CVE-2024-27317: Directory Traversal in Apache Pulsar

The core of this vulnerability lies in the Functions Worker's lack of proper validation of filenames within uploaded JAR and NAR files. An attacker, possessing valid authentication credentials, can craft a malicious function package containing filenames designed to traverse directories. For example, a filename like "../../../../etc/passwd" could allow an attacker to overwrite or create files in sensitive system locations. This could lead to arbitrary code execution, data exfiltration, or denial of service. The potential impact extends beyond simple file modification; an attacker could potentially inject malicious code into the Pulsar environment, gaining persistent access and control. The blast radius is significant, as a compromised Pulsar cluster could impact all applications and services relying on it.

1. Reserved2024-02-23
2. Published2024-03-12
3. Modified2025-02-13
4. EPSS updated2026-04-02

The primary mitigation for CVE-2024-27317 is to immediately upgrade Apache Pulsar to version 3.2.1 or later, which includes the necessary fixes. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to restrict the types of files that can be uploaded as Pulsar functions, limiting the attack surface. Additionally, implement strict input validation on all uploaded files, specifically sanitizing filenames to prevent directory traversal sequences. Web Application Firewalls (WAFs) configured to detect and block requests containing suspicious filenames can also provide a layer of defense. Monitor Pulsar logs for unusual file creation or modification activity, particularly in unexpected directories. After upgrading, confirm the fix by attempting to upload a test function with a malicious filename (e.g., "../../../../tmp/testfile") and verifying that the upload fails with an appropriate error message.