We use cookies to improve your experience on our site.
AVID-2026-R1444
Description
Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution (CVE-2024-27135)
Details
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with “functionsWorkerEnabled=true”.
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Reason for inclusion in AVID: CVE-2024-27135 describes remote code execution via improper input validation in Apache Pulsar’s Function Worker, a software component commonly used in data pipelines and AI/ML workflows. This affects the software stack used to build/run AI systems (messaging/processing components), representing a genuine security vulnerability in a supply-chain-relevant dependency. The report provides CVSS details and patch guidance, giving sufficient signals for evaluation.
References
- NVD entry
- https://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn
- https://pulsar.apache.org/security/CVE-2024-27135/
- http://www.openwall.com/lists/oss-security/2024/03/12/9
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Pulsar |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Base Score | 8.5 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🔴 High |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-913 | CWE-913 Improper Control of Dynamically-Managed Code Resources |
| CWE-20 | CWE-20 Improper Input Validation |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-03-12
- Version: 0.3.3
- AVID Entry