What is CVE-2024-27317?

CVE-2024-27317 is a high-severity vulnerability in Apache Software Foundation Pulsar, classified under Path Traversal. CVSS score: 8.4/10. Published 2024-03-12.

How severe is CVE-2024-27317?

High severity. CVSS v3 base score is 8.4 out of 10.

Path Traversal in Apache Software Foundation Pulsar

CVE-2024-27317

In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory tra…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.569 (98.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.4 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L.

Affected products

Apache Software Foundation Pulsar — versions 2.4.0, 2.11.0, 3.0.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po (mailing-list)
pulsar.apache.org/security/CVE-2024-27317/ (vendor-advisory)
www.openwall.com/lists/oss-security/2024/03/12/10

Frequently asked questions

What is CVE-2024-27317?: CVE-2024-27317 is a high-severity vulnerability in Apache Software Foundation Pulsar, classified under Path Traversal. CVSS score: 8.4/10. Published 2024-03-12.
How severe is CVE-2024-27317?: High severity. CVSS v3 base score is 8.4 out of 10.