cve-2024-27894
Vulnerability from cvelistv5
Published
2024-03-12 18:19
Modified
2025-02-13 17:47
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and "additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.
References
security@apache.orghttp://www.openwall.com/lists/oss-security/2024/03/12/11Mailing List, Third Party Advisory
security@apache.orghttps://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206pVendor Advisory
security@apache.orghttps://pulsar.apache.org/security/CVE-2024-27894/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2024/03/12/11Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206pVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://pulsar.apache.org/security/CVE-2024-27894/Vendor Advisory
Impacted products
Vendor Product Version
Apache Software Foundation Apache Pulsar Version: 2.4.0   
Version: 2.11.0   
Version: 3.0.0   
Version: 3.1.0   
Version: 3.2.0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-27894",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-03-13T16:05:51.769657Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-04T17:47:12.905Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T00:41:55.869Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p",
               },
               {
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://pulsar.apache.org/security/CVE-2024-27894/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2024/03/12/11",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache Pulsar",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThan: "2.10.6",
                     status: "affected",
                     version: "2.4.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "2.11.4",
                     status: "affected",
                     version: "2.11.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.0.3",
                     status: "affected",
                     version: "3.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.1.3",
                     status: "affected",
                     version: "3.1.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.2.1",
                     status: "affected",
                     version: "3.2.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "Lari Hotari of StreamNative",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.<br>This vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".<br><br>This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. <br><br>2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br>2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br>3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br>3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br>3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br><br>Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.<br><br>The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.",
                  },
               ],
               value: "The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include \"file\", \"http\", and \"https\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\nThis vulnerability also applies to the Pulsar Broker when it is configured with \"functionsWorkerEnabled=true\".\n\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\n\nThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \"additionalEnabledConnectorUrlPatterns\" and \"additionalEnabledFunctionsUrlPatterns\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 8.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-20",
                     description: "CWE-20 Improper Input Validation",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
            {
               descriptions: [
                  {
                     cweId: "CWE-552",
                     description: "CWE-552 Files or Directories Accessible to External Parties",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-05-01T17:09:31.832Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p",
            },
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://pulsar.apache.org/security/CVE-2024-27894/",
            },
            {
               url: "http://www.openwall.com/lists/oss-security/2024/03/12/11",
            },
         ],
         source: {
            discovery: "INTERNAL",
         },
         title: "Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2024-27894",
      datePublished: "2024-03-12T18:19:41.084Z",
      dateReserved: "2024-02-26T21:19:23.344Z",
      dateUpdated: "2025-02-13T17:47:12.314Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         descriptions: "[{\"lang\": \"en\", \"value\": \"The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include \\\"file\\\", \\\"http\\\", and \\\"https\\\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\\nThis vulnerability also applies to the Pulsar Broker when it is configured with \\\"functionsWorkerEnabled=true\\\".\\n\\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \\n\\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\\n\\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\\n\\nThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \\\"additionalEnabledConnectorUrlPatterns\\\" and \\\"additionalEnabledFunctionsUrlPatterns\\\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.\"}, {\"lang\": \"es\", \"value\": \"Pulsar Functions Worker incluye una capacidad que permite a los usuarios autenticados crear funciones donde se hace referencia a la implementaci\\u00f3n de la funci\\u00f3n mediante una URL. Los esquemas de URL admitidos incluyen \\\"archivo\\\", \\\"http\\\" y \\\"https\\\". Cuando se crea una funci\\u00f3n utilizando este m\\u00e9todo, Functions Worker recuperar\\u00e1 la implementaci\\u00f3n de la URL proporcionada por el usuario. Sin embargo, esta caracter\\u00edstica introduce una vulnerabilidad que puede ser aprovechada por un atacante para obtener acceso no autorizado a cualquier archivo para el que el proceso Pulsar Functions Worker tenga permisos de lectura. Esto incluye la lectura del entorno del proceso, que potencialmente incluye informaci\\u00f3n confidencial, como secretos. Adem\\u00e1s, un atacante podr\\u00eda aprovechar esta vulnerabilidad para utilizar Pulsar Functions Worker como proxy para acceder al contenido de las URL de endpoints HTTP y HTTPS remotos. Esto tambi\\u00e9n podr\\u00eda usarse para llevar a cabo ataques de denegaci\\u00f3n de servicio. Esta vulnerabilidad tambi\\u00e9n se aplica al Pulsar Broker cuando est\\u00e1 configurado con \\\"functionsWorkerEnabled=true\\\". Este problema afecta a las versiones de Apache Pulsar de 2.4.0 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.11.4. Los usuarios de 3.0 Pulsar Function Worker deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones m\\u00e1s nuevas. Las versiones actualizadas de Pulsar Functions Worker impondr\\u00e1n, de forma predeterminada, restricciones a la creaci\\u00f3n de funciones mediante URL. Para los usuarios que dependen de esta funcionalidad, la configuraci\\u00f3n de Function Worker proporciona dos claves de configuraci\\u00f3n: \\\"additionalEnabledConnectorUrlPatterns\\\" y \\\"additionalEnabledFunctionsUrlPatterns\\\". Estas claves permiten a los usuarios especificar un conjunto de patrones de URL permitidos, lo que permite la creaci\\u00f3n de funciones utilizando URL que coinciden con los patrones definidos. Este enfoque garantiza que la funci\\u00f3n permanezca disponible para quienes la requieren, al tiempo que limita el potencial de acceso y explotaci\\u00f3n no autorizados.\"}]",
         id: "CVE-2024-27894",
         lastModified: "2024-11-21T09:05:21.910",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 8.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 6.0}]}",
         published: "2024-03-12T19:15:47.970",
         references: "[{\"url\": \"http://www.openwall.com/lists/oss-security/2024/03/12/11\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p\", \"source\": \"security@apache.org\"}, {\"url\": \"https://pulsar.apache.org/security/CVE-2024-27894/\", \"source\": \"security@apache.org\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/03/12/11\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://pulsar.apache.org/security/CVE-2024-27894/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
         sourceIdentifier: "security@apache.org",
         vulnStatus: "Awaiting Analysis",
         weaknesses: "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}, {\"lang\": \"en\", \"value\": \"CWE-552\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2024-27894\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-03-12T19:15:47.970\",\"lastModified\":\"2025-01-19T03:09:08.147\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include \\\"file\\\", \\\"http\\\", and \\\"https\\\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\\nThis vulnerability also applies to the Pulsar Broker when it is configured with \\\"functionsWorkerEnabled=true\\\".\\n\\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \\n\\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\\n\\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\\n\\nThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \\\"additionalEnabledConnectorUrlPatterns\\\" and \\\"additionalEnabledFunctionsUrlPatterns\\\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.\"},{\"lang\":\"es\",\"value\":\"Pulsar Functions Worker incluye una capacidad que permite a los usuarios autenticados crear funciones donde se hace referencia a la implementación de la función mediante una URL. Los esquemas de URL admitidos incluyen \\\"archivo\\\", \\\"http\\\" y \\\"https\\\". Cuando se crea una función utilizando este método, Functions Worker recuperará la implementación de la URL proporcionada por el usuario. Sin embargo, esta característica introduce una vulnerabilidad que puede ser aprovechada por un atacante para obtener acceso no autorizado a cualquier archivo para el que el proceso Pulsar Functions Worker tenga permisos de lectura. Esto incluye la lectura del entorno del proceso, que potencialmente incluye información confidencial, como secretos. Además, un atacante podría aprovechar esta vulnerabilidad para utilizar Pulsar Functions Worker como proxy para acceder al contenido de las URL de endpoints HTTP y HTTPS remotos. Esto también podría usarse para llevar a cabo ataques de denegación de servicio. Esta vulnerabilidad también se aplica al Pulsar Broker cuando está configurado con \\\"functionsWorkerEnabled=true\\\". Este problema afecta a las versiones de Apache Pulsar de 2.4.0 a 2.10.5, de 2.11.0 a 2.11.3, de 3.0.0 a 3.0.2, de 3.1.0 a 3.1.2 y 3.2.0. 2.10 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.10.6. 2.11 Los usuarios de Pulsar Function Worker deben actualizar al menos a 2.11.4. Los usuarios de 3.0 Pulsar Function Worker deben actualizar al menos a 3.0.3. 3.1 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.1.3. 3.2 Los usuarios de Pulsar Function Worker deben actualizar al menos a 3.2.1. Los usuarios que utilicen versiones anteriores a las enumeradas anteriormente deben actualizar a las versiones parcheadas antes mencionadas o a versiones más nuevas. Las versiones actualizadas de Pulsar Functions Worker impondrán, de forma predeterminada, restricciones a la creación de funciones mediante URL. Para los usuarios que dependen de esta funcionalidad, la configuración de Function Worker proporciona dos claves de configuración: \\\"additionalEnabledConnectorUrlPatterns\\\" y \\\"additionalEnabledFunctionsUrlPatterns\\\". Estas claves permiten a los usuarios especificar un conjunto de patrones de URL permitidos, lo que permite la creación de funciones utilizando URL que coinciden con los patrones definidos. Este enfoque garantiza que la función permanezca disponible para quienes la requieren, al tiempo que limita el potencial de acceso y explotación no autorizados.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-552\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.4.0\",\"versionEndExcluding\":\"2.10.6\",\"matchCriteriaId\":\"1CC67E07-21B9-485E-8169-0AD81B773690\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.11.0\",\"versionEndExcluding\":\"2.11.4\",\"matchCriteriaId\":\"5615177E-1EAD-4F00-8230-FE7C3B67A641\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.3\",\"matchCriteriaId\":\"5EC9804F-D93F-41C5-963D-F42DA8779249\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.1.0\",\"versionEndExcluding\":\"3.1.3\",\"matchCriteriaId\":\"44F5BF49-6151-4A0E-BD7D-280CBB09A868\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:pulsar:3.2.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"13ECC4AD-98DF-4BEF-BFE5-6A8A701E0B05\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/12/11\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://pulsar.apache.org/security/CVE-2024-27894/\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/12/11\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://pulsar.apache.org/security/CVE-2024-27894/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://pulsar.apache.org/security/CVE-2024-27894/\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/03/12/11\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:41:55.869Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-27894\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-13T16:05:51.769657Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:17.339Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Lari Hotari of StreamNative\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Pulsar\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.4.0\", \"lessThan\": \"2.10.6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"2.11.0\", \"lessThan\": \"2.11.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.0.3\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.1.3\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.2.0\", \"lessThan\": \"3.2.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://pulsar.apache.org/security/CVE-2024-27894/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/03/12/11\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include \\\"file\\\", \\\"http\\\", and \\\"https\\\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.\\nThis vulnerability also applies to the Pulsar Broker when it is configured with \\\"functionsWorkerEnabled=true\\\".\\n\\nThis issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \\n\\n2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\\n2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\\n3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\\n3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\\n3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\\n\\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.\\n\\nThe updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \\\"additionalEnabledConnectorUrlPatterns\\\" and \\\"additionalEnabledFunctionsUrlPatterns\\\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include \\\"file\\\", \\\"http\\\", and \\\"https\\\". When a function is created using this method, the Functions Worker will retrieve the implementation from the URL provided by the user. However, this feature introduces a vulnerability that can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker process has permissions to read. This includes reading the process environment which potentially includes sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This could also be used to carry out denial of service attacks.<br>This vulnerability also applies to the Pulsar Broker when it is configured with \\\"functionsWorkerEnabled=true\\\".<br><br>This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. <br><br>2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br>2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br>3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br>3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br>3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br><br>Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.<br><br>The updated versions of Pulsar Functions Worker will, by default, impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the Function Worker configuration provides two configuration keys: \\\"additionalEnabledConnectorUrlPatterns\\\" and \\\"additionalEnabledFunctionsUrlPatterns\\\". These keys allow users to specify a set of URL patterns that are permitted, enabling the creation of functions using URLs that match the defined patterns. This approach ensures that the feature remains available to those who require it, while limiting the potential for unauthorized access and exploitation.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-552\", \"description\": \"CWE-552 Files or Directories Accessible to External Parties\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-05-01T17:09:31.832Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-27894\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:47:12.314Z\", \"dateReserved\": \"2024-02-26T21:19:23.344Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-03-12T18:19:41.084Z\", \"assignerShortName\": \"apache\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.