CVE-2023-37544

CWE-287 — Improper Authentication4 documents4 sources

Severity

7.5HIGH

EPSS

0.1%

top 79.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Pulsar Apache Software Foundation Apache Pulsar Websocket Proxy

Timeline

PublishedDec 20

Description

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5apache_software_foundation/apache_pulsar_websocket_proxy2.8.0 — 2.8.*+4

▶Mavenorg.apache.pulsar:pulsar-websocket2.11.0 — 2.11.2+2

▶NVDapache/pulsar2.11.0 — 2.11.2+2

🔴Vulnerability Details

GHSA

Apache Pulsar WebSocket Proxy contains an Improper Authentication vulnerability↗2023-12-20

▶

CVEList

Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS↗2023-12-20

▶

OSV

Apache Pulsar WebSocket Proxy contains an Improper Authentication vulnerability↗2023-12-20

▶