We use cookies to improve your experience on our site.
AVID-2026-R1445
Description
Apache Pulsar: Pulsar Functions Worker’s Archive Extraction Vulnerability Allows Unauthorized File Modification (CVE-2024-27317)
Details
In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren’t properly validated, contain special elements like “..”, altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with “functionsWorkerEnabled=true”.
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
Reason for inclusion in AVID: CVE-2024-27317 describes a directory traversal vulnerability in Apache Pulsar Functions Worker which allows an authenticated user to modify files outside the intended extraction directory via crafted archive uploads (jar/nar). Pulsar is commonly used in AI data pipelines, model serving, and orchestration as part of AI/ML software stacks; thus this vulnerability is within a software component that can affect AI systems and their deployment pipelines. It is a network-exploitable security vulnerability in a software supply-chain-relevant component (artifact processing/serving), not a hardware/firmware issue. The evidence (CVSS details, affected versions, remediation guidance) supports classification as a security vulnerability in a component used to build/run AI workloads.
References
- NVD entry
- https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po
- https://pulsar.apache.org/security/CVE-2024-27317/
- http://www.openwall.com/lists/oss-security/2024/03/12/10
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Pulsar |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L |
| Base Score | 8.4 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🔴 High |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-22 | CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-03-12
- Version: 0.3.3
- AVID Entry