Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-37544

Good to know:

icon
icon

Date: December 20, 2023

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.

Language: Java

Severity Score

Related Resources (5)

https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m
https://nvd.nist.gov/vuln/detail/CVE-2023-37544
http://www.openwall.com/lists/oss-security/2023/12/20/2
https://seclists.org/oss-sec/2023/q4/299
https://www.mend.io/vulnerability-database/CVE-2023-37544

Severity Score

Weakness Type (CWE)

Authentication Issues

CWE-287

Top Fix

icon

Upgrade Version

Upgrade to version org.apache.pulsar:pulsar-broker:2.10.5,2.11.2,3.0.1, org.apache.pulsar:pulsar-proxy:2.10.5,2.11.2,3.0.1, org.apache.pulsar:pulsar-websocket:2.10.5,2.11.2,3.0.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us