GHSA-xp2r-g8qq-44hh

Source

https://github.com/advisories/GHSA-xp2r-g8qq-44hh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-xp2r-g8qq-44hh/GHSA-xp2r-g8qq-44hh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xp2r-g8qq-44hh

Aliases

CVE-2024-27135

Published

2024-03-12T21:30:59Z

Modified

2024-05-02T18:46:15.666747Z

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution

Details

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.

2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.

Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

Database specific

{
    "nvd_published_at": "2024-03-12T19:15:47Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-13T21:59:37Z"
}

References

Affected packages

Maven / org.apache.pulsar:pulsar-functions-worker

Package

Name: org.apache.pulsar:pulsar-functions-worker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-functions-worker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.10.6

Affected versions

2.*

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

Database specific

{
    "last_known_affected_version_range": "<= 2.10.5"
}

Maven / org.apache.pulsar:pulsar-functions-worker

Package

Name: org.apache.pulsar:pulsar-functions-worker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-functions-worker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.11.0

Fixed

2.11.4

Affected versions

2.*

2.11.0

2.11.1

2.11.2

2.11.3

Database specific

{
    "last_known_affected_version_range": "<= 2.11.3"
}

Maven / org.apache.pulsar:pulsar-functions-worker

Package

Name: org.apache.pulsar:pulsar-functions-worker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-functions-worker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.3

Affected versions

3.*

3.0.0

3.0.1

3.0.2

Database specific

{
    "last_known_affected_version_range": "<= 3.0.2"
}

Maven / org.apache.pulsar:pulsar-functions-worker

Package

Name: org.apache.pulsar:pulsar-functions-worker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-functions-worker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.3

Affected versions

3.*

3.1.0

3.1.1

3.1.2

Database specific

{
    "last_known_affected_version_range": "<= 3.1.2"
}

Maven / org.apache.pulsar:pulsar-functions-worker

Package

Name: org.apache.pulsar:pulsar-functions-worker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar-functions-worker