CVE-2024-27894

CWE-20 — Improper Input Validation CWE-552 — Files Accessible to External Parties5 documents5 sources

Severity

8.8HIGH

EPSS

0.4%

top 38.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Pulsar Apache Pulsar

Timeline

PublishedMar 12

Description

The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Puls…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages3 packages

▶Mavenorg.apache.pulsar:pulsar-functions-worker2.4.0 — 2.10.6+4

▶NVDapache/pulsar2.4.0 — 2.10.6+4

▶CVEListV5apache_software_foundation/apache_pulsar2.4.0 — 2.10.6+4

🔴Vulnerability Details

CVEList

Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying↗2024-03-12

▶

GHSA

Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying↗2024-03-12

▶

OSV

Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying↗2024-03-12

▶

📋Vendor Advisories

Red Hat

apache-pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying↗2024-03-12

▶