org.apache.pulsar:pulsar-broker@2.5.2 vulnerabilities

Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') due to improper validation of filenames in uploaded jar or nar files, which are essentially zip files. An attacker can create or modify files outside of the designated extraction directory, potentially influencing system behavior by uploading a malicious file that exploits directory traversal with special elements like .. in the filenames.

Note: This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

Upgrade org.apache.pulsar:pulsar-broker to version 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1 or higher.

Affected versions of this package are vulnerable to Improper Access Control due to the capability that permits authenticated users to create functions where the function's implementation is referenced by a URL, including schemes like file, http, and https. An attacker can gain unauthorized access to any file that the process has permission to read, including sensitive information in the process environment, by creating a function with a URL pointing to the desired file. Furthermore, this vulnerability can be exploited to use the process as a proxy to access the content of remote HTTP and HTTPS endpoint URLs, which could be leveraged to carry out denial-of-service attacks.

Note: This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

Upgrade org.apache.pulsar:pulsar-broker to version 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1 or higher.

Affected versions of this package are vulnerable to Insufficient Session Expiration which allows a client to stay connected to a broker after authentication data expires if the client connected through the Pulsar Proxy when the broker is configured with authenticateOriginalAuthData=false or if a client connects directly to a broker with a specially crafted connect command when the broker is configured with authenticateOriginalAuthData=false.

Upgrade org.apache.pulsar:pulsar-broker to version 2.9.5, 2.10.4, 2.11.1 or higher.

Affected versions of this package are vulnerable to Access Restriction Bypass. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.

Upgrade org.apache.pulsar:pulsar-broker to version 2.9.0, 2.10.4, 2.11.1 or higher.

Affected versions of this package are vulnerable to Improper Certificate Validation due to Apache Pulsar Brokers and Proxies creating an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients.An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack.

Upgrade org.apache.pulsar:pulsar-broker to version 2.7.5, 2.8.4, 2.9.3, 2.10.1 or higher.