Published: 20/12/2023 Updated: 04/01/2024

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an malicious user to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 up to and including 2.8.*, from 2.9.0 up to and including 2.9.*, from 2.10.0 up to and including 2.10.4, from 2.11.0 up to and including 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and previous versions should upgrade to one of the above patched versions.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache pulsar 3.0.0
apache pulsar

oss-sec mailing list archives   By Date By Thread </form>    CVE-2023-37544: Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS <!--X-Subject-H ...

CWE-287 https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m http://www.openwall.com/lists/oss-security/2023/12/20/2 https://nvd.nist.gov https://seclists.org/oss-sec/2023/q4/299

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-37544

Vulnerability Summary

Mailing Lists

References

Vulmon Search

About

Products

Connect