2269257 – (CVE-2024-27317) CVE-2024-27317 apache-pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification

Bug 2269257 (CVE-2024-27317) - CVE-2024-27317 apache-pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification

Summary: CVE-2024-27317 apache-pulsar: Pulsar Functions Worker's Archive Extraction Vu...

Keywords:
Status:	NEW
Alias:	CVE-2024-27317
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2269246
TreeView+	depends on / blocked

Reported:	2024-03-12 20:31 UTC by Marco Benatto
Modified:	2024-04-30 23:00 UTC (History)
CC List:	33 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A path traversal vulnerability was found in Apache Pulsar. Pulsar allows authenticated users to upload functions to be run by the Pulsar Function Workers, these codes are in the format of a ZIP file. When extracting the uploaded ZIP file Pulsar fails to properly validate the file names contained in the uploaded ZIP file. This flaw allows an attacker to create or modify files outside of the intended directory, possibly influencing the system's behavior. Pulsar Broker is also vulnerable to this flaw when configured with "functionsWorkerEnabled=true".
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-03-12 20:31:54 UTC

In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like "..", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 

2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.
2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.
3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.
3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.
3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.

Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po
https://pulsar.apache.org/security/CVE-2024-27317/

Note You need to log in before you can comment on or make changes to this bug.

aileenc
asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
cmiranda
darran.lofthouse
dkreling
dosoudil
fjuma
fmariani
gmalinko
ivassile
iweiss
janstey
jpoth
lgao
mosmerov
msochure
mstefank
msvehla
nwallace
pcongius
pdelbell
pjindal
pmackay
rstancel
smaestri
tcunning
tom.jenkinson
yfang