CVE-2024-27135

Severity CVSS v4.0:
Pending analysis
Type:
CWE-20 Input Validation
Publication date:
12/03/2024
Last modified:
13/02/2025

Description

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".<br /> <br /> This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. <br /> <br /> 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br /> 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br /> 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br /> 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br /> 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br /> <br /> Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* 2.4.0 (including) 2.10.6 (excluding)
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* 2.11.0 (including) 2.11.4 (excluding)
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* 3.0.0 (including) 3.0.3 (excluding)
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* 3.1.0 (including) 3.1.3 (excluding)
cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*