CVE-2023-37544

Name of the Vulnerable Software and Affected Versions Apache Pulsar WebSocket Proxy versions 2.8.0 through 2.8.* Apache Pulsar WebSocket Proxy versions 2.9.0 through 2.9.* Apache Pulsar WebSocket Proxy versions 2.10.0 through 2.10.4 Apache Pulsar WebSocket Proxy versions 2.11.0 through 2.11.1 Apache Pulsar WebSocket Proxy version 3.0.0

Description An Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the "/pingpong" endpoint without authentication. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.

Recommendations For Apache Pulsar WebSocket Proxy versions 2.8.0 through 2.8., upgrade to at least version 2.10.5, 2.11.2, or 3.0.1. For Apache Pulsar WebSocket Proxy versions 2.9.0 through 2.9., upgrade to at least version 2.10.5, 2.11.2, or 3.0.1. For Apache Pulsar WebSocket Proxy versions 2.10.0 through 2.10.4, upgrade to at least version 2.10.5. For Apache Pulsar WebSocket Proxy versions 2.11.0 through 2.11.1, upgrade to at least version 2.11.2. For Apache Pulsar WebSocket Proxy version 3.0.0, upgrade to at least version 3.0.1.