Apache Pulsar WebSocket Proxy Improper Auth 2.83.0
CVE-2023-37544 Published on December 20, 2023
Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS
Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.
This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0.
The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.
2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.
2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.
3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.
3.1 Pulsar WebSocket Proxy users are unaffected.
Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.
Vulnerability Analysis
CVE-2023-37544 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2023-37544 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2023-37544
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-37544 are published in Apache Plusar:
Affected Versions
Apache Software Foundation Apache Pulsar WebSocket Proxy:- Version 2.8.0, <= 2.8.* is affected.
- Version 2.9.0, <= 2.9.* is affected.
- Version 2.10.0, <= 2.10.4 is affected.
- Version 2.11.0, <= 2.11.1 is affected.
- Version 3.0.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.