Improper Access Control Affecting org.apache.pulsar:pulsar-broker package, versions [2.4.0,2.10.6) [2.11.0,2.11.4) [3.0.0,3.0.3) [3.1.0,3.1.3) [3.2.0,3.2.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHEPULSAR-6427209
- published 13 Mar 2024
- disclosed 12 Mar 2024
- credit Lari Hotari of StreamNative
Introduced: 12 Mar 2024
CVE-2024-27894 Open this link in a new tabHow to fix?
Upgrade org.apache.pulsar:pulsar-broker to version 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1 or higher.
Overview
Affected versions of this package are vulnerable to Improper Access Control due to the capability that permits authenticated users to create functions where the function's implementation is referenced by a URL, including schemes like file, http, and https. An attacker can gain unauthorized access to any file that the process has permission to read, including sensitive information in the process environment, by creating a function with a URL pointing to the desired file. Furthermore, this vulnerability can be exploited to use the process as a proxy to access the content of remote HTTP and HTTPS endpoint URLs, which could be leveraged to carry out denial-of-service attacks.
Note: This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".