Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.
This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.
The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.
2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.
2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.
3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.
3.1 Pulsar WebSocket Proxy users are unaffected.
Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/12/20/2 | Mailing List |
https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m | Mailing List |
http://www.openwall.com/lists/oss-security/2023/12/20/2 | Mailing List |
https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m | Mailing List |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:11
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2023/12/20/2 - Mailing List | |
References | () https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m - Mailing List |
04 Jan 2024, 18:52
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
References | () https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m - Mailing List | |
References | () http://www.openwall.com/lists/oss-security/2023/12/20/2 - Mailing List | |
CPE | cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* cpe:2.3:a:apache:pulsar:3.0.0:*:*:*:*:*:*:* |
20 Dec 2023, 13:50
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-20 09:15
Updated : 2024-11-21 08:11
NVD link : CVE-2023-37544
Mitre link : CVE-2023-37544
CVE.ORG link : CVE-2023-37544
JSON object : View
Products Affected
apache
- pulsar
CWE
CWE-287
Improper Authentication