CVE-2024-27894

Name of the Vulnerable Software and Affected Versions Apache Pulsar versions prior to 2.10.6 Apache Pulsar versions prior to 2.11.4 Apache Pulsar versions prior to 3.0.3 Apache Pulsar versions prior to 3.1.3 Apache Pulsar versions prior to 3.2.1

Description The issue is related to the Pulsar Functions Worker, which allows authenticated users to create functions where the function's implementation is referenced by a URL. This feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read, including reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs, such as "http" or "https" schemes, and carry out denial of service attacks. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

Recommendations For versions prior to 2.10.6, upgrade to at least 2.10.6. For versions prior to 2.11.4, upgrade to at least 2.11.4. For versions prior to 3.0.3, upgrade to at least 3.0.3. For versions prior to 3.1.3, upgrade to at least 3.1.3. For versions prior to 3.2.1, upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. As a temporary workaround, consider restricting access to the additionalEnabledConnectorUrlPatterns and additionalEnabledFunctionsUrlPatterns configuration keys to minimize the risk of exploitation.