CVE-2024-27135

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".<br /> <br /> This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. <br /> <br /> 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br /> 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br /> 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br /> 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br /> 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br /> <br /> Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.