org.apache.pulsar:pulsar-functions-worker 2.10.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.pulsar:pulsar-functions-worker package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Improper Input Validation Affected versions of this package are vulnerable to Improper Input Validation allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. Note This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". How to fix Improper Input Validation? Upgrade `org.apache.pulsar:pulsar-functions-worker` to version 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1 or higher.	[2.10.0,2.10.6)[2.11.0,2.11.4)[3.0.0,3.0.3)[3.1.0,3.1.3)[3.2.0,3.2.1)
H Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') due to improper validation of filenames in uploaded jar or nar files, which are essentially zip files. An attacker can create or modify files outside of the designated extraction directory, potentially influencing system behavior by uploading a malicious file that exploits directory traversal with special elements like `..` in the filenames. Note: This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')? Upgrade `org.apache.pulsar:pulsar-functions-worker` to version 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1 or higher.	[2.4.0,2.10.6)[2.11.0,2.11.4)[3.0.0,3.0.3)[3.1.0,3.1.3)[3.2.0,3.2.1)
H Improper Access Control Affected versions of this package are vulnerable to Improper Access Control due to the capability that permits authenticated users to create functions where the function's implementation is referenced by a URL, including schemes like `file`, `http`, and `https`. An attacker can gain unauthorized access to any file that the process has permission to read, including sensitive information in the process environment, by creating a function with a URL pointing to the desired file. Furthermore, this vulnerability can be exploited to use the process as a proxy to access the content of remote HTTP and HTTPS endpoint URLs, which could be leveraged to carry out denial-of-service attacks. Note: This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true". How to fix Improper Access Control? Upgrade `org.apache.pulsar:pulsar-functions-worker` to version 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1 or higher.	[2.10.0,2.10.6)[2.11.0,2.11.4)[3.0.0,3.0.3)[3.1.0,3.1.3)[3.2.0,3.2.1)
H Incorrect Authorization Affected versions of this package are vulnerable to Incorrect Authorization. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. Note: This vulnerability is mitigated by the fact that there is no known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability. How to fix Incorrect Authorization? Upgrade `org.apache.pulsar:pulsar-functions-worker` to version 2.10.4, 2.11.1 or higher.	[,2.10.4)[2.11,2.11.1)

Vulnerability

Vulnerable Version

Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions.

Note This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

How to fix Improper Input Validation?

Upgrade org.apache.pulsar:pulsar-functions-worker to version 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1 or higher.

[2.10.0,2.10.6)[2.11.0,2.11.4)[3.0.0,3.0.3)[3.1.0,3.1.3)[3.2.0,3.2.1)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') due to improper validation of filenames in uploaded jar or nar files, which are essentially zip files. An attacker can create or modify files outside of the designated extraction directory, potentially influencing system behavior by uploading a malicious file that exploits directory traversal with special elements like .. in the filenames.

Note: This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')?

Upgrade org.apache.pulsar:pulsar-functions-worker to version 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1 or higher.

[2.4.0,2.10.6)[2.11.0,2.11.4)[3.0.0,3.0.3)[3.1.0,3.1.3)[3.2.0,3.2.1)

Improper Access Control

Affected versions of this package are vulnerable to Improper Access Control due to the capability that permits authenticated users to create functions where the function's implementation is referenced by a URL, including schemes like file, http, and https. An attacker can gain unauthorized access to any file that the process has permission to read, including sensitive information in the process environment, by creating a function with a URL pointing to the desired file. Furthermore, this vulnerability can be exploited to use the process as a proxy to access the content of remote HTTP and HTTPS endpoint URLs, which could be leveraged to carry out denial-of-service attacks.

Note: This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

How to fix Improper Access Control?

Upgrade org.apache.pulsar:pulsar-functions-worker to version 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1 or higher.

[2.10.0,2.10.6)[2.11.0,2.11.4)[3.0.0,3.0.3)[3.1.0,3.1.3)[3.2.0,3.2.1)

Incorrect Authorization

Affected versions of this package are vulnerable to Incorrect Authorization. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials.

Note:

This vulnerability is mitigated by the fact that there is no known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.

How to fix Incorrect Authorization?

Upgrade org.apache.pulsar:pulsar-functions-worker to version 2.10.4, 2.11.1 or higher.

[,2.10.4)[2.11,2.11.1)

org.apache.pulsar:pulsar-functions-worker@2.10.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?