CVE-2024-27135
Description
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsar-functions-workerMaven | >= 2.4.0, < 2.10.6 | 2.10.6 |
org.apache.pulsar:pulsar-functions-workerMaven | >= 2.11.0, < 2.11.4 | 2.11.4 |
org.apache.pulsar:pulsar-functions-workerMaven | >= 3.0.0, < 3.0.3 | 3.0.3 |
org.apache.pulsar:pulsar-functions-workerMaven | >= 3.1.0, < 3.1.3 | 3.1.3 |
org.apache.pulsar:pulsar-functions-workerMaven | >= 3.2.0, < 3.2.1 | 3.2.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- www.openwall.com/lists/oss-security/2024/03/12/9nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-xp2r-g8qq-44hhghsaADVISORY
- lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wnnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-27135ghsaADVISORY
- pulsar.apache.org/security/CVE-2024-27135/nvdVendor Advisory
- pulsar.apache.org/security/CVE-2024-27135ghsaWEB
News mentions
0No linked articles in our index yet.