SCA: security update for org.apache.pulsar:pulsar-functions-worker (GHSA-c2x9-vw5h-39vc)

high Tenable Cloud Security Plugin ID 413598

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The Pulsar Functions Worker includes a capability that permits authenticated users to create functions
where the function's implementation is referenced by a URL. The supported URL schemes include "file",
"http", and "https". When a function is created using this method, the Functions Worker will retrieve the
implementation from the URL provided by the user. However, this feature introduces a vulnerability that
can be exploited by an attacker to gain unauthorized access to any file that the Pulsar Functions Worker
process has permissions to read. This includes reading the process environment which potentially includes
sensitive information, such as secrets. Furthermore, an attacker could leverage this vulnerability to use
the Pulsar Functions Worker as a proxy to access the content of remote HTTP and HTTPS endpoint URLs. This
could also be used to carry out denial of service attacks. This vulnerability also applies to the Pulsar
Broker when it is configured with "functionsWorkerEnabled=true". This issue affects Apache Pulsar versions
from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. 2.10
Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should
upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar
Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to
at least 3.2.1. Users operating versions prior to those listed above should upgrade to the aforementioned
patched versions or newer versions. The updated versions of Pulsar Functions Worker will, by default,
impose restrictions on the creation of functions using URLs. For users who rely on this functionality, the
Function Worker configuration provides two configuration keys: "additionalEnabledConnectorUrlPatterns" and
"additionalEnabledFunctionsUrlPatterns". These keys allow users to specify a set of URL patterns that are
permitted, enabling the creation of functions using URLs that match the defined patterns. This approach
ensures that the feature remains available to those who require it, while limiting the potential for
unauthorized access and exploitation. (CVE-2024-27894)

See Also

https://github.com/advisories/GHSA-c2x9-vw5h-39vc

Plugin Details

Severity: High

ID: 413598

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-27894

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/12/2024

Vulnerability Publication Date: 3/12/2024

Reference Information

CVE: CVE-2024-27894

cwe: CWE-20