Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an malicious user to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 up to and including 2.8.*, from 2.9.0 up to and including 2.9.*, from 2.10.0 up to and including 2.10.4, from 2.11.0 up to and including 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and previous versions should upgrade to one of the above patched versions.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache pulsar 3.0.0 |
||
apache pulsar |