Multiple vulnerabilities in Apache Pulsar
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2024-28098 CVE-2024-27894 CVE-2024-27317 CVE-2024-27135 |
| CWE-ID | CWE-284 CWE-918 CWE-22 CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Apache Pulsar Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU87566
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-28098
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user with produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings.
Install updates from vendor's website.
Vulnerable software versionsApache Pulsar: 2.4.0 - 3.2.0
External linkshttp://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z
http://pulsar.apache.org/security/CVE-2024-28098/
http://lists.apache.org/thread/c4t14729k2ln4mtr2n0z66nh7o1j8q66
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU87565
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27894
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can send a specially crafted HTTP request and read arbitrary files with privileges of the Pulsar Functions Worker process or initiate requests to internal systems.
Install updates from vendor's website.
Vulnerable software versionsApache Pulsar: 2.4.0 - 3.2.0
External linkshttp://lists.apache.org/thread/45cqhgqg8d19ongjw18ypcss8vwh206p
http://pulsar.apache.org/security/CVE-2024-27894/
http://lists.apache.org/thread/cy4o2cyymdvy3s2nkotxbfblbyd9zhqz
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Path traversal
EUVDB-ID: #VU87562
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27317
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to improper validation of file names inside .jar and .nar files. A remote user can upload a specially crafted archive to the application and overwrite arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsApache Pulsar: 2.4.0 - 3.2.0
External linkshttp://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po
http://pulsar.apache.org/security/CVE-2024-27317/
http://lists.apache.org/thread/n1pbx90r45rb6jcnj2g8s95nh872fztn
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Code Injection
EUVDB-ID: #VU87560
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27135
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote authenticated user can send a specially crafted request and execute arbitrary Java code on the Pulsar Function worker.
Install updates from vendor's website.
Vulnerable software versionsApache Pulsar: 2.4.0 - 3.2.0
External linkshttp://lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wn
http://pulsar.apache.org/security/CVE-2024-27135/
http://lists.apache.org/thread/y5f2vht63h0sc1xcyt5s1l4scdshxb3l
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
