CVE-2022-24280

Name of the Vulnerable Software and Affected Versions Apache Pulsar Proxy versions 2.6.4 and earlier Apache Pulsar Proxy versions 2.7.0 through 2.7.4 Apache Pulsar Proxy versions 2.8.0 through 2.8.2 Apache Pulsar Proxy versions 2.9.0 through 2.9.1

Description The issue is related to an Improper Input Validation vulnerability in the Proxy component of Apache Pulsar. This vulnerability allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. The attacker will have to have a valid token to a properly secured Pulsar Proxy.

Recommendations For Apache Pulsar Proxy versions 2.6.4 and earlier, update to a version later than 2.6.4. For Apache Pulsar Proxy versions 2.7.0 through 2.7.4, update to a version later than 2.7.4. For Apache Pulsar Proxy versions 2.8.0 through 2.8.2, update to a version later than 2.8.2. For Apache Pulsar Proxy versions 2.9.0 through 2.9.1, update to a version later than 2.9.1. As a temporary workaround, consider restricting access to the Proxy component to minimize the risk of exploitation.